Uncovering Hidden Connections: Investigating Websites with Favicon Hashes

One of my favorite techniques for investigating websites is to calculate its favicon hash and find sites with the same hash. But what is a favicon? A favicon is the small picture next to the website’s title in a browser tab. In the image above you can see the favicon of my website. When criminals create their websites, sometimes they use the same favicon for each site. This is significant because it may be the only publicly available way to link multiple sites together and show that the same criminal is behind all of the sites.

The vast majority of websites have a favicon, and many websites have more than one. For the websites with more than one, the actual image is usually the same, it’s the just image sizes that are different. Most websites use their own unique image for their favicon, but there are some websites that use the default favicon of whatever software or web server they’re using. If this is the case, you can determine what kind of software or web server they’re using, which may be helpful to your investigation. However, due to the number of websites using the same favicon, it most likely won’t help you find linked websites, although there are exceptions. Now that you know what the favicon is and where you can see it, how do we calculate its hash?

What is a Favicon Hash?

Locate the Favicon

First, we have to get the file of the favicon. Typically, it will be https://randomwebsite.com/favicon.ico, but I’ve seen plenty of websites that store it elsewhere, and sometimes “favicon” and “.ico” aren’t in the name. When navigating to a website, open the Developer Tools (Ctrl + Shift + i) and click on the “Network” tab. Here you can see all of the web requests being made by the website. Retrieving the favicon file should be one of the first requests made, so look for it near the top of the list. If you don’t immediately see it, try searching “favi” in the search tab. If you still haven’t found it, that means its under a different name, so you’ll have to look at each web request made. When doing this, look for image files. You may have to open each image file to match it with the favicon. You can do this by double-clicking on the web request, and it will open in a new tab.

Calculate the Hash

Once you have the URL containing the favicon, you’ll copy and paste it into the favicon hash calculator code. After running the code, you’ll get the output which is the favicon hash. If you’d rather use a website to get the favicon hash, visit https://favicon-hash.kmsec.uk/. Once you have the hash, there are a couple of things I like to do.

Favicon Hash Calculator Code in Python 3

First, search the hash in ZoomEye. ZoomEye is an IoT search engine that can scan the world (literally) for IoT devices, including websites. We can use ZoomEye to search for sites using the same favicon hash. In order to use ZoomEye, you’ll have to create an account, which is completely free. ZoomEye offers a free tier that is fairly comprehensive and allows you to see the first 400 search results, which is way more than we need for searching the favicon hash. Also note that you won’t be able to access the website if you’re using a VPN. To search the favicon hash, type “iconhash: faviconhash” in the search bar. ZoomEye offers a really good service, but just because it doesn’t return any results doesn’t mean they don’t exist. This has happened to me a few times.

ZoomEye (zoomeye.hk)

Shodan (shodan.io)

The second thing I do is search in Shodan. Shodan is similar to ZoomeEye in that they’re both IoT search engines. However, I’ve noticed that they typically yield different results, specifically when searching favicon hashes. To use the search feature in Shodan, you’ll need an account, which is free. To search the favicon hash, type “http.favicon.hash:faviconhash”. Note that there are no spaces between the semicolon and the first character of your favicon hash. Once again, Shodan and ZoomEye usually return different results so it’s good to use both of them.

If you get a lot of results from ZoomEye and Shodan, the favicon most likely belongs to the company of the web server or software that the website uses. In this case, I like to search the favicon hash in this list to see if there are any matches.

Favicon Hash Database

Feel free to reach out with any questions or suggestions. Have topics you'd like us to cover? Let us know in the comments or through our contact page.