ZeroTrace OSINT
Favicon Hash
mmh3 / sha256 / base64 of a site's favicon, plus Shodan and Censys facet links for cross-site matching.
A favicon is a tiny image, but its hash is one of the cheapest fingerprinting tools in OSINT. Two unrelated-looking sites that share a favicon hash are almost certainly running the same software, or were configured by the same operator copying configurations.
The tool fetches the favicon, computes the hashes Shodan and Censys both index, and offers one-click facet links so you can see every other internet-facing host that shares the same favicon.
What you get
| Field | What it tells you |
|---|---|
| Favicon image | Visual preview |
| mmh3 hash | The MurmurHash3 hash of the base64-encoded favicon — Shodan's facet format |
| base64 of the favicon | The raw base64 (Shodan / Censys both accept this as input) |
| sha256 hash | The SHA-256 of the favicon bytes — useful for matching identical files |
| md5 hash | Same purpose as SHA-256, useful where MD5 is the convention (rare these days) |
| Common-fingerprint match | If the favicon matches a known software default (Wappalyzer pattern, Jenkins, GitLab, GitHub Enterprise, Apache directory listing), the match is named |
| Shodan / Censys facet links | One-click open in the browser — see every host on the internet sharing this favicon |
Why favicon hashes matter
The fingerprinting argument:
- Most operators do not change the default favicon shipped with their software.
- Each piece of software has a unique default favicon.
- Therefore: matching favicons across hosts strongly implies the same software.
Real-world examples:
- A list of phishing sites sharing the favicon of a real bank suggests one operator copied the bank's site as a template.
- A list of company-domain assets sharing a custom corporate favicon identifies the company's full server footprint, even on cloud hosts that do not have obvious DNS attribution.
- A favicon matching the default Jenkins / GitLab / Grafana favicon reveals an exposed admin tool.
Common-fingerprint match
The toolkit ships a small curated catalog of well-known default favicons:
- Major web frameworks' default icons (Apache, nginx default pages).
- Common admin tools (Jenkins, GitLab, Grafana, Kibana, Wireshark, etc.).
- Default favicons from Wappalyzer's fingerprint catalog.
A match flags both the software and the hash format that matched.
Shodan / Censys facet links
The mmh3 hash, in particular, is the format Shodan facet-searches favicons by. The tool produces one-click links in the format https://www.shodan.io/search?query=http.favicon.hash:<HASH> and the equivalent Censys URL.
Click the link and the browser opens to the search engine showing every host indexed with the matching favicon.
For attribution work — "are these forty domains operated by the same actor?" — favicon hashing is one of the lowest-effort, highest-signal techniques available. It is also one of the hardest to fake at scale because every separate-favicon would have to be uniquely created for every site.
Pivots
| Click on... | Pivot to |
|---|---|
| Hash | Open in Shodan / Censys (URL builders) |
| Site URL | Site analysis, TLS inspector, certificate transparency |
| Common-fingerprint match name | (no pivot — informational) |
Bulk favicon hashing
Bulk paste accepts many URLs and returns the favicon hash for each. Aggregate table groups by hash so you can spot clusters of sites sharing a favicon at a glance.
Sources
- The favicon URL itself (typically
<site>/favicon.ico, with fallback to<link rel="icon">from the HTML). - The "Open in Shodan / Censys" links go to the respective search engines — no scraping involved.
- The common-fingerprint catalog is bundled with the application.