Weaponizing favicon.ico for BugBounties , OSINT and what not

Hello there , I am too lazy when it comes to writing blogs and writeups but Hey look I wrote this one xD.

Long Story Short

I have been using favicon.ico hashes for finding new assets/IP addresses and technologies owned by a company from a long time now. Recently I realized an increase in trend of this fairly small and simple trick on twitter, below are some screenshots :

favicon hash for finding spring boot instances

Jason Haddix’s tweet on the same

$4,300 Bounty (exposed /heapdump and /env)

So I decided to write a blog on the same , I will try to explain my methodology and how I use fingerprint based detection using favicon hashes and will show the working of “FavFreak” a tool of mine for making your work a hell lot easier. Lets dive into this “The lesser known art of Recon using Favicon hashes”

Introduction

What is favicon.ico

Modern Browsers will show you a small image/icon to the left side of the webpage title , that icon is known as favicon.ico . This is icon is generally fetched from https://anywebsite/favicon.ico and browsers automatically request it when you will browse any website.

medium.com’s favicon.ico

How to calculate Favicon hashes from favicon.ico

Using Python 2

favicon-hash.py

Using Python 3

favicon-hash.py

Source : https://gist.github.com/yehgdotnet/b9dfc618108d2f05845c4d8e28c5fc6a

Example :

Lets calculate the favicon hash for https://medium.com/favicon.ico

favicon-hash.py

favicon hash

I think I have covered enough basics about favicon.ico and favicon hashes . Now lets dive into the interesting part.

Favicon Hashes + Shodan

You can search for assets/IPs using favicon hashes on shodan using http.favicon.hash:[Favicon hash here] filter.

Example :

Generally the favicon hash of any spring boot application is 116323821. So we can use this shodan filter http.favicon.hash:116323821 for finding Spring Boot instances .

results from shodan

Here is a oneliner for doing the same using shodan CLI :

$ shodan search org:"Target" http.favicon.hash:116323821 --fields ip_str,port --separator " " | awk '{print $1":"$2}'

Result :

CLI is fun

Note : This is just one example, you can use different favicon hashes for different services. Be creative !

My Methodology

Mind Map

I start with my Recon process and try to find as many assets as possible , I then find the favicon hashes for each domain/subdomains/IPs then I match those favicon hashes with my fingerprints.json .

$ cat fingerprints.json 
{ 
   "116323821" : "Potential Spring Boot instance",
   "blah-blah" : "Potential XYZ instance",
   .. .. .. .. .. 
   .. .. .. .. .. 
   and so on
} 

If any favicon hash matches with any of the fingerprints present in fingerprints.json , then I store those matched hashes in a different file and I hunt for already known issues on those webapps(For ex : Testing for /env , /heapdump , /logfile in Spring Boot applications if any of the hash matches with my Spring Boot Fingerprint).

Automating all this

I have created a tool named “FavFreak” that makes my work a hell lot easier, it takes a list of urls (with https or http protocol) from stdin ,then it fetches favicon.ico and calculates its hash value. It sorts the domains/subdomains/IPs according to their favicon hashes and the most interesting part is , It matches calculated favicon hashes with the favicon hashes present in the fingerprint dictionary , If matched then it will show you the results in the output, there is option to generate shodan dorks as well (that is pretty basic and you can do it manually as well)

Example

$ cat urls.txt | python3 favfreak.py -o output

Fetching /favicon.ico and generating hashes :

fetching favicon.ico

Subdomains/IPs Sorted according to their Favicon hashes :

Favicon hash output

FingerPrint Based favicon Hash detection :

Fingerprint dictionary looks like this :

fingerprint dictionary

If you are lazy then you add --shodan and it will generate shodan dorks for your based on the calculated favicon hashes :

ready made dorks

Be creative and add your own fingerprint favicon hashes !

FavFreak can be found here : https://github.com/devanshbatham/FavFreak

Contact

Shoot my DM : @0xAsm0d3us

#Offtopic but Important

This COVID pandemic affected animals too (in an indirect way) . I will be more than happy if you will show some love for Animals by donating to Animal Aid Unlimited ,Animal Aid Unlimited saves animals through street animal rescue, spay/neuter and education. Their mission is dedicated to the day when all living beings are treated with compassion and love. ✨