Favicon Hash Recon

Last updated:

Downloads the current site's favicon, computes its MurmurHash3 hash (the standard used by Shodan), and generates ready-to-click search links for Shodan, Censys, FOFA, and ZoomEye to find every other server on the internet running the same software. This is a technique used by APT researchers and bug bounty hunters to map infrastructure.

Drag to your bookmarks bar:

🔷 Hash Favicon
1
Install — drag to bookmarks bar
2
Visit any website
3
Click — downloads favicon, computes hash, generates Shodan search links

Runs on any website — all processing in your browser.

🔷

Install the bookmarklet, then use it on any website

Favicon Hash Recon

Every web application has a favicon — and most use the default one from their framework or software. By computing the MurmurHash3 of a favicon (the algorithm Shodan uses), you can search the entire indexed internet for every other server using the same icon. This technique is used by APT researchers, bug bounty hunters, and red teams to discover shadow infrastructure.

Applications

Find all Jenkins, GitLab, Grafana, or Kibana instances. Discover other domains belonging to the same organization. Map out development, staging, and production environments. Identify software running on unusual ports.

MurmurHash3
A fast, non-cryptographic hash function used by Shodan to index favicons. The hash is computed on the base64-encoded favicon data.

🔷 Favicon Hash Recon — FAQ

Why MurmurHash3?

Shodan uses MurmurHash3 (32-bit) on base64-encoded favicon data as its indexing standard. Using the same algorithm ensures search compatibility.

How accurate is favicon matching?

Very accurate for default favicons. Custom favicons are nearly unique — matching ones belong to the same organization or a clone.

Do I need a Shodan account?

Basic Shodan searches are free. For full results, a membership is required. Censys, FOFA, and ZoomEye are additional search options.

What software has distinctive favicons?

Jenkins, GitLab, Grafana, Kibana, Jira, Confluence, phpMyAdmin, Apache default, Nginx default, IIS default, and thousands more.

Can organizations prevent this?

Using a custom favicon instead of the default reduces discoverability, but determined researchers can still match custom favicons across assets.

🛰️

Shodan InternetDB Recon

Open ports and CVEs for any IP.
📡

CT Subdomain Enum

Discover subdomains via CT logs.
🔬

Tech Stack Detector

Detect frameworks and software.
🔍

Domain Recon Dashboard

Full domain intelligence.