A detailed explanation of Shodan's Http.favicon.hash grammar

In the Shodan search has a search syntax about the website icon,Http.favicon.hash, we can use this syntax to search out the site using the same icon, do not know how to use the friend please refer to my previous article.

We learned from the previous article that, because the hash is an unknown random number, it is not possible to enter a certain hash value to search for the site with the specified icon, only by looking at a site that has been shodan indexed hash value, To get to all the sites with an icon. Then the usage here is very limited, you can only take the chance to find the site you need to find, because Shodan does not necessarily include the site you want to search. Then the previous article, so if Shodan included an IP, this server with an icon, can I search all the server IP with this icon? The answer is yes.

Here take Baidu example, here is an IP for 180.97.34.35 server, as below,

If I want to search all the IP addresses with this icon, I can search for this IP in Shodan first, here is to use a thing that didn't notice before, that is shodan raw data function,

Click on View rawdata in the details to open the Shodan to see all the information stored on the IP of the original, because there is too much space, it is not one by one,

Here we need to use the field about the icon hash is this,Data.0.http.favicon.hash, you can see the result is-1507567067, this value is the Http.favicon.hash in the required search value,

Based on the hash value we obtained above, we try to search using Http.favicon.hash syntax, and we can see that we have successfully obtained all the websites with this icon.

There are a lot of other things in Shodan's raw data, and here's a look at the data.0.http.favicon.data field, which is literally about Favicon, his data, And does this format look like the base64 we're familiar with? Yes, actually this field is the result after the icon base64,

Here we can use the Python script to do a simple test, the script is as follows, you can see the results are roughly the same as the data in the site, and then asked the Shodan engineer, confirmed that this field is stored in the icon results of the Base64 format.

Import requestsresponse = Requests.get (' https://www.baidu.com/favicon.ico ') data = Response.content.encode (' base64 ') Print data

At this point we have a further understanding of some of the details of Shodan, there is a new situation: if you have a website, open only a login interface, no other information, but you find that he has an icon, so guess he might be using some unknown CMS, The idea here is to use Shodan to search for sites with the same icon, and to find a breakthrough from other sites that use the same template. According to what we said above, to Shodan search this IP, but when you search in the Shodan, but found that Shodan did not include this IP address, did not search any results, this time what to do?

Here is the focus of today, how to use a website icon to reverse the introduction of Shodan search for the hash value. In fact, it is very simple, combined with the script I said above can be achieved, through some channels to understand that shodan in the processing of this result, using a Python library called Mmh3, with the MURMURHASH3 function, commonly used for hash retrieval operations, The specific usage of the MMH3 library can be seen here--and the portal points me. So shodan here for the icon hash value of the production is clear, first get the website icon, the website icons for base64 encoding, and use MMH3 for hash calculation. MMH3 module can be installed through the PIP, installation may error, I encountered the need to install C + + Compiler package for Python 2.7, there are other errors to install according to the error, the use of python2.7, do not need to add seed, the script is as follows:

Import Mmh3import requestsresponse = Requests.get (' Https://www.baidu.com/favicon.ico ') Favicon = Response.content.encode (' base64 ') hash = Mmh3.hash (favicon) Print hash

The calculation results in a string of numbers, with a result of-1507567067, combined with shodan syntax Http.favicon.hash to search for the results just now.

Here to test, take the blog Garden example, F12 view the address of the icon, for Http://common.cnblogs.com/favicon.ico, look no problem, is icon.

After that, the address in the script is changed to this, and the calculation results in a value of-395680774.

After the search in the Shodan, I can see that the results have been successfully found, although the number is relatively small.

　　

　　

A detailed explanation of Shodan's Http.favicon.hash grammar