Introducing FaviconLocator: The Eazy Button to Searching by Favicon

 

Favicons (short for favorite icons) are the cute little pixelated images that appear next to the site name in web browser tabs, bookmarks, etc. In the image below we can see the iconic GitHub logo on their site and the KFC logo on a bucket of chicken on their site.


Originally, favicons were designed to add a touch of professionalism and branding, but for anyone who is like me and has over a dozen tabs open at any time, favicons are the only thing displayed and how I navigate tabs.

Most of us rely on favicons on a daily basis but many never think of them as a tool we can use in OSINT and CTI investigations. That’s what we’re doing to talk about here as well as introduce a new tool.

In addition to branding and aiding in navigation between tabs, favicons can serve as unique identifiers for websites. These unique identifiers can help us:

  • Trace the online presence of organizations and discover obscure digital assets

  • Map the online infrastructure of potential threats

  • Potentially de-anonymize the true IP address of a site on the dark web

  • A heck of a lot more!

Consider a scenario where security analysts are tasked with mapping the online presence of a suspicious organization. Traditional methods of looking up IP addresses and DNS information, historic who, etc, are effective, but many don’t think about using the Favicon. A skilled OSINT practitioner can compute the hashes of a favicon, and, using the correct search syntax on platforms like Shodan.io, zoomeye.org, and Censys.io, analysts can quickly uncover other web assets linked to the same favicon, revealing potentially hidden or unknown websites associated with the organization.

What hashes do you need to compute? How do you do it? What’s the correct search syntax on these sites?? Let’s look at a new tool called FaviconLocator that makes it extremely easy!

Locating favicon files on websites is the fundamental first step in leveraging FaviconLocator for digital investigations. Favicons are typically located in the root directory of a website, but they can also be found in subdirectories or be specified in the website's HTML code. To locate a favicon, I usually start by checking the standard location, which is "/favicon.ico" at the domain's root. For instance, for a website at www.kfc.com, the favicon is found by navigating to www.kfc.com/favicon.ico. This is by far the most common location, but not all websites use this standard naming convention or location.

In cases where the favicon is not in the root directory, inspecting the website’s HTML source code is necessary. This can be done by right-clicking on the webpage and selecting “View Page Source” or similar options, depending on the browser. Within the HTML code, look for a link element with a rel attribute of “icon” or “shortcut icon”. This element will contain the href attribute specifying the path to the favicon file. This path might be absolute, pointing directly to the favicon's URL, or relative, indicating its location relative to the webpage’s URL.  I had to look at over a dozen sites before I found a site that didn’t use the default favicon location but I finally found one, and was able to stick to the fast food theme, mcdonalds.com.




Now that we’ve covered how to find and download the favicon file, let's talk about the searching.

Shodan.io, search.censys.io, and zoomeye.org all index and catalog favicons, but in order to search these repositories, you have to obtain the hash of the favicon file you downloaded and hash it. Which hashing algorithm do you use? It depends.

Search.censys.io uses the popular md5 hashing algorithm. And once you’ve obtained the hash of the favicon, it’s as simple as typing that into the search box on the site.











While many of you have likely heard of md5, shodan.io, and zoomeye.org, use a hashing algorithm that is likely new to you, mmh3. MurmurHash3 (mmh3 for short) is an algorithm used for its speed and processing efficiency.

Once you have obtained the mmh3 hash, you can search shodan.io with the following syntax: http.favicon.hash:YOURHASHHERE. Here is an example:



The final site we’ll look at here that allows you to search for Favicons is zoomeye.org. Like Shodan, it also uses the mmh3 hashing algorithm but the search syntax is different: iconhash:”YOURHASHHERE”. Here is an example:



Now that we’ve talked about how to identify the favicon files and search these sites, let’s look at a new Python tool that makes hashing, and knowing the search syntax, super easy.

The tool is called FaviconLocator and can be downloaded here: https://github.com/ArgeliusLabs/FaviconLocator

You will need Python installed on your system and will likey need to run “pip install mmh3” before it’s first use to install the mmh3 hashing library used by shodan and zoomeye. Once you’ve downloaded the tool, just put any favicon files you downloaded in the same directory and run the tool. It will ask you the name of the favicon file (including the extension) you would like to hash. It will then instantly provide you with the correct hashes, and make it even easier by providing you the search syntax for shodan, zoomeye and censys making your searches copy and paste easy.



Hopefully this tool makes it easy to incorporate favicon searches into your investigations! If you find anything interesting with it, I’d love to hear about it in the comments below!

Comments

Post a Comment

Popular posts from this blog

SANS Index How To Guide with Pictures

Image
I got some great advice recently on creating an index for SANS exams and I wanted to write a blog post to share it with others. I took the SANS FOR 508 Computer Forensics course in 2008. It was way over my head but I had a great time and learned a ton. A few months ago I finally decided to go for my GCFA certification. I had four year old material from a course that had been completely revamped and no index. I passed the exam with a score in the 80s but it was a grueling experience. I had to rush on the last part of the exam and never felt comfortable. A few months after my GCFA exam I got an opportunity to attend a SANS SEC 504 class. I really wanted to prepare for my GCIH exam the right way so while I was at the conference I asked several individuals how they prepared their index. Most people told me that their indexes were 8-10 pages. A lot of these people had more SANS certs than I have friends so their methods obviously worked for them. My class had a teaching assistant (also SANS
Read more

Automating Domain Squatting Detection with DNSTwist and Python

Image
  There’s a good chance that, at some point, you’ve received a spam email with a link that looked close to the name of a popular domain but was just a little off. Payapl.com instead of Paypal.com or similar. Domain squatting is a malicious activity where attackers register domain names similar to legitimate ones. Attackers may use these domains to deceive users into believing they are visiting a legitimate website, which can lead to phishing and other attacks. DNSTwist (available here: https://github.com/elceef/dnstwist ) is a popular tool that helps identify domain names that are similar to a given domain name. It generates a list of potential domain names by applying various fuzzing techniques to the given domain name and then checks if these domains are registered. Check out the list of Bank Of America copycat domains: DNSTwist is an amazing tool that should likely be a part of every organization's Cyber Threat Intelligence monitoring efforts, and I wanted to automate it
Read more