Using Favicon for OSINT

Reading Time: 6 Minutes

Introduction

When digging into Open-Source Intelligence (OSINT) techniques, it’s often the little things that end up mattering most. In this article, we’ll take a closer look at one of the most overlooked tools: the favicon – the tiny icon that appears next to a site’s name in your browser. At first glance, it seems trivial, but under the surface, favicon hashes can lead you to hidden infrastructure, related services, and sometimes even attacker-controlled systems.

What is Favicon?

A favicon (short for “favorite icon”) is a small icon associated with a website, typically displayed in the browser tab (left side of the website’s title), bookmarks, and history. It helps users visually identify websites and enhances branding.

Favicons are commonly stored as .ico, .png, or .svg files and are referenced in the website’s HTML using the <link> tag.

E.g.

<link rel=”icon” href=”/favicon.ico” type=”image/x-icon”>

They are usually located at /favicon.ico on a web server but can also be dynamically loaded.

Because favicons are often unique to a specific platform, company, or software stack, they can be useful in OSINT investigations. They can be leveraged and used to uncover related domains or subdomains, spot phishing sites, or get clues about the underlying technology and infrastructure in use.

youtube.com’s favicon.ico

Where are favicons usually stored?

Default Location: /favicon.ico

• Many websites store their favicon at the root directory:
  https://example.com/favicon.ico
• Simply appending /favicon.ico to a domain can often retrieve the file.
  Example: Visit https://github.com/favicon.ico in a browser.
• Downloading the favicon with wget: wget https://domain.com/favicon.ico -O domainfavicon.ico

Specified in the HTML Source (<link> Tag)

• Favicons are often specified in the HTML <head> section:
  <link rel=”icon” href=”/assets/favicon.ico” type=”image/x-icon”>
• Sometimes, websites use multiple favicons for different devices:
  <link rel=”icon” type=”image/png” sizes=”32×32″ href=”/favicon-32×32.png”>
  <link rel=”icon” type=”image/png” sizes=”16×16″ href=”/favicon-16×16.png”>
• To locate the favicon, view the page source (Ctrl + U in most browsers) and search for “favicon” or rel=”icon”.

medium.com – favicon location inside HTML header tag

Why are favicons relevant to OSINT?

You wouldn’t think much about favicons beyond their tiny role in web design, but in OSINT, they’re surprisingly useful for tracking down connections between websites, subdomains, and even entire infrastructure setups.

Favicons are typically static for websites and often remain consistent across subdomains.

Since companies tend to reuse the same favicon across multiple web assets, its MurmurHash3 fingerprint can act like a unique digital signature, helping analysts’ piece together related domains or uncover shadow IT lurking in the background.

By searching for a favicon hash on tools like Shodan, Censys, FoFa etc., security teams can stumble across hidden services, overlooked infrastructure, or unexpected relationships between different systems. It’s especially handy for spotting hosting providers, identifying origin IPs hiding behind CDNs, subdomain enumeration, and even tracking attacker-controlled assets—all of which can reveal more about a target’s online presence.

And it’s not just about finding vulnerabilities on the offensive side. Defenders can flip the script too. By monitoring their own favicon fingerprints across public datasets, companies can catch phishing sites impersonating them, flag misconfigured assets, and lock down exposed services before an attacker takes advantage of them. The reality is, bad actors are already using these tricks—so why not turn the tables and use them to your own advantage?

Calculating the favicon hash

One of the next steps is figuring out the Murmur3 hash for the website’s favicon. This hash acts like a digital fingerprint, helping search engines recognize and index web assets. To generate it, we’ll use Python’s mmh3 module—this method is widely used by platforms like Shodan, Censys, Fofa, and Zoomeye to classify and identify sites based on their favicons.

• Calculating the hash using a python3 script:
  • Use this script to run with python3 and calculate the favicon hash (insert your favicon’s URL in the line: requests.get(‘https://github.com/favicon.ico’) ).

Script:

# python 3

import mmh3

import requests

import codecs

response = requests.get('https://github.com/favicon.ico')

favicon = codecs.encode(response.content,"base64")

hash = mmh3.hash(favicon)

print(hash)

Usage:

python3 your_python_filename.py

Result: 1848946384

Source: https://gist.github.com/yehgdotnet/b9dfc618108d2f05845c4d8e28c5fc6a

• Or, you can use this script to calculate the hash by providing the URL as a command-line argument instead of hardcoding it inside the script.

Script:

import mmh3

import requests

import codecs

import sys

# Check if URL is provided

if len(sys.argv) != 2:

print(f"Usage: {sys.argv[0]} ")

sys.exit(1)

url = sys.argv[1] # Get URL from command-line argument

try:

response = requests.get(url, timeout=10) # Fetch the favicon with a timeout

favicon = codecs.encode(response.content, "base64") # Convert to base64

hash_value = mmh3.hash(favicon) # Compute mmh3 hash

print(f"Favicon mmh3 Hash: {hash_value}")

except requests.exceptions.RequestException as e:

print(f"Error fetching favicon: {e}")

Usage:

python3 your_python_filename.py https://github.com/favicon.ico

Result: Favicon mmh3 Hash: 1848946384

• You can also run this as a one-liner:

python3 -c "import mmh3, requests, codecs, sys; print(mmh3.hash(codecs.encode(requests.get(sys.argv[1], timeout=10).content, 'base64')))" "https://github.com/favicon.ico"

Result: 1848946384

Once you have calculated the Murmur3 hash of a favicon, you can use it in OSINT search engines like Shodan, Censys, Fofa, and ZoomEye to find other websites using the same favicon and other infrastructure related information.

Shodan: http.favicon.hash:1848946384

Fofa: icon_hash=”1848946384″

• Websites that automate the process:
  • https://favicon-hash.kmsec.uk/
  • https://faviconhasher.codejavu.tech/

OSINT use cases for Favicons

Since we covered enough basics about favicon.ico and favicon hashes.

Now let’s dive into the interesting part.

Find infrastructure IP’s that are not behind CDNs, reverse proxies

Websites often use services like CDNs, WAFs, or reverse proxies (Cloudflare, Imperva Incapsula, etc.) to hide their true IP addresses. But interestingly, in some cases, identifying the favicon hash can reveal the origin IP or find related organization’s infrastructure IP’s not protected by reverse proxies—essentially bypassing that layer of protection. It’s not guaranteed, but it’s a clever trick worth knowing about.

By using the favicon hash in search engines such as Shodan, Censys, FOFA, or ZoomEye, you can often uncover numerous websites or servers that share the same favicon. In many cases, these sites are hosted behind CDNs or similar protective layers, but some of them are not.

Start by entering the favicon hash into a search engine. In this write-up, we’ll focus on FOFA and Shodan, as they typically return the most comprehensive set of results.

Shodan: http.favicon.hash:1848946384

Fofa: icon_hash=”1848946384″

A basic review of the results might look something like this:

Look for Non-CDN Ips

Review the results:

• Identify IPs not protected by Cloudflare/Akamai/etc.
• Check TLS certs, HTTP headers, response titles, and HTML content for matches.

These IPs may belong to:

• Misconfigured origin servers
• Staging/pre-prod environments
• APIs leaking their real backend

Verify Origin

To confirm:

• Compare responses between the CDN-protected domain and the exposed IP.
• Look for identical titles, HTML structure, favicons, or error pages.

Favicon hash search results on FoFa search engine

Finding related infrastructure (subdomains, staging environments, hidden servers) – discovering exposed admin panels and services

Another method uses favicon hashes to help uncover related subdomains or infrastructure that may be linked to the same target or organization. It’s not always conclusive, but it can offer useful leads during an investigation. Since many organizations reuse the same favicon across production domains, subdomains, staging environments, development servers, and even forgotten assets, it’s often possible to discover them by applying the same search filter used earlier.

Using the same favicon hash filter on Fofa or Shodan:

Shodan: http.favicon.hash:1848946384

Fofa: icon_hash=”1848946384″

Alternatively, you can refine your search using additional operators—for example, to narrow results down to login portals.

Fofa:
icon_hash=”1848946384″ && (title==”Login” || title==”Sign In” || body=”login” || body=”sign in”)

Shodan:

http.favicon.hash:1848946384 title:”login”

These queries help surface systems with matching favicons and login-related content.

You can also experiment with favicon hashes combined with logical filters to uncover:

• title:”admin”
• body:”portal”
• html:”/manage”
• title:”Grafana”
• html:”phpMyAdmin”
• title:”Kibana”title:”dev”
• port:5601 (Kibana), port:8081 (SonarQube), port:15672 (RabbitMQ)

Additionally, you can use regex patterns in your Fofa queries to further refine results. This feature, however, requires a premium membership.

E.g.

icon_hash=”116323821″ && (title~=”admin” || body~=”admin” || header~=”Admin”)

Next Steps

After identifying subdomains, the next step is a deeper analysis and enumeration phase. This process helps highlight which assets might be of interest, appear misconfigured, or show signs of potential vulnerabilities.

Analyze Page Titles

• Use tools like httpx or gowitness to quickly extract <title> tags from a list of URLs.
• Page titles can leak valuable reconnaissance data such as:
• Technology stacks (e.g., Spring Boot Admin, SonarQube Dashboard)
• Deployment environments (staging, internal, dev, qa)
• App names and internal tools not indexed by search engines

Fingerprint Technologies

Identify backend and frontend stacks to map the attack surface:

Tools:

• Whatweb
• Wappalyzer
• nmap -sV
• Browser + Burp (check headers, favicons, JS files)

Look for frameworks such as:

• Apache Struts
• Jenkins
• Grafana
• Flask, Express.js, Ruby on Rails
• CMS platforms

Check for Exposed Directories and Login Portals

Look for unauthenticated access to common sensitive endpoints:

/admin/
/dashboard/
/login/
/upload/

These paths often expose:

• Admin panels
• File upload portals (RCE risk)
• Authentication endpoints vulnerable to brute-force or bypass
• Misconfigured dashboards or monitoring tools

Tools:

• dirsearch
• ffuf
• gobuster
• feroxbuster

Run Quick Vulnerability Probes

Check known weak/default endpoints based on technology fingerprints:

Common Targets:

• Spring Boot:
  • /env, /actuator/, /heapdump, /logfile
  • → May leak secrets, memory dumps, or allow remote code execution
• Laravel:
  • /debugbar, .env
  • → .env leaks DB creds, AWS keys, mail creds
• GitLab:
  • /users/sign_in, /admin/
  • → GitLab versions <13.10 had multiple auth-related CVEs
• CMS (WordPress, Joomla, etc.):
  • /wp-admin, /wp-json, /xmlrpc.php
  • → Common in brute-force attacks or plugin enumeration

Tools:

• nuclei (with community or custom templates)
• wpscan
• joomscan
• typosquatter
• subjs (for JS endpoint discovery)

Identify Authentication Mechanisms

Determine how authentication is handled:

• Is there a login portal? Look at the request/response cycle.
• Identify auth type:

• HTTP Basic / Digest
• JSON Web Tokens (JWT)
• OAuth2 / SSO (SAML, OpenID)
• Custom form-based authentication

Assess for:

• User enumeration via response diffing
• Rate-limiting or lockout protections
• Brute-force resistance (Captcha, 2FA)
• Login CSRF protection

Tracking Attacker-Controlled Servers and Phishing Campaigns

Attackers tend to reuse favicons across different parts of their infrastructure, often because it’s quick and convenient. In phishing campaigns, the goal is usually to imitate legitimate websites as closely as possible, and that includes the favicon. To pull this off, threat actors will often copy the icon directly from real services like Microsoft, PayPal, GitHub, or Apple. Since these icons are rarely modified, the hash value they generate stays the same. That identical hash becomes a sort of fingerprint—one defenders and researchers can use to spot other servers using the same favicon, which usually belong to the same infrastructure cluster or phishing campaign.

This tactic isn’t limited to phishing sites either. Some command-and-control frameworks like Cobalt Strike, Empire, or Metasploit ship with default web UIs that include a stock favicon. A lot of attackers leave it as-is, either because they don’t care or because the setup is automated and reused over and over. That means the same icon might show up on dozens of servers. By hashing that favicon and searching on platforms we mentioned earlier, researchers can often connect the dots between infrastructure pieces that might otherwise seem unrelated.

What’s powerful about this approach is how passive it is. You don’t need to scan anything or touch the attacker’s system, you just extract the favicon, hash it, and check who else is using it. That makes it especially useful for identifying low-effort phishing kits or automated setups where no one bothered to change the defaults. Favicons tend to get overlooked, and attackers rarely think to randomize or obfuscate them. But that’s exactly what makes them a quiet goldmine for mapping malicious infrastructure using open-source tools.

Best practices and Pitfalls

• Make Automation Part of the Process

Add favicon hashing into your recon or subdomain workflows. Tools like httpx can be used to probe live hosts and grab the favicon, which you can then hash automatically using MurmurHash3. Tie this into automated queries through platforms like FOFA or Shodan so you can quickly find other systems using the same icon. This kind of setup can scale easily and lets you track infrastructure changes almost in real time.

• Use More Than One Search Engine

No single OSINT platform gives you the full picture. Each search engine has its own strengths, some index faster, others go deeper, and a few might focus on different geographic regions. For instance, FOFA might return hundreds of hits on a specific hash, while Shodan shows just a handful. Querying across tools like FOFA, Shodan, Censys, and ZoomEye gives you broader coverage.

• Watch Out for Noise

Be mindful of default favicons that are reused across unrelated websites. Many content management systems like WordPress, Joomla, or Drupal, and common admin panels such as cPanel or Plesk ship with the same default icons. If you rely solely on a favicon hash without checking other details (like response headers, SSL certs, content, or tech stack), you risk grouping together servers that have nothing to do with each other.

• Scan on a Regular Basis

Infrastructure isn’t static. Domains go offline, change IPs, or show up again in new campaigns. By running regular scans for known favicon hashes, you can catch signs of reused kits, revived C2 panels, or forgotten subdomains that come back online. It’s also a great way to keep your subdomain maps fresh, whether you’re doing offensive research or working on defense.

Understand Access Restrictions

Some platforms lock more advanced queries like regex searches or large-volume hash lookups behind premium plans or API keys. If you’re tracking infrastructure at scale, these features are worth the investment. They open the door to continuous monitoring and allow you to automate discovery and alerting as part of a larger threat intelligence workflow.

Last Thoughts

Check everything. Seriously.

When you’re working with favicon hashes, it’s easy to get lazy after the first few obvious hits—but that’s where most people miss the good stuff. Dig through every result you find, across as many search engines as you can. Sometimes the real gems are buried just a little deeper, hiding behind what looks like noise. It’s not always glamorous, but persistence is what makes the difference. Whether you’re mapping out infrastructure, tracking threat groups, or chasing down vulnerabilities, thoroughness will always put you ahead. The next big find could be hiding in the spot everyone else overlooked.

We hope that this write up has taught you something new. If you enjoyed it, the best way that you can support us is to share it! If you’d like to hear more about us, you can find us on LinkedIn, Twitter, YouTube.

 

Are you a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to Information Security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]