Dataset of over 3,000 favicon hashes AI mapped to identified products — network devices, web applications, security appliances, and more. Useful for network reconnaissance, asset discovery, and OSINT via favicon-based fingerprinting.
Web servers expose favicons at predictable paths. Hashing a favicon (MurmurHash of the base64-encoded image) produces a stable fingerprint tied to a specific product or firmware version. Search engines like Shodan index these hashes, making it possible to find all internet-exposed instances of a given product with a single query.
http.favicon.hash:999357577 → Hikvision cameras
http.favicon.hash:-2013924196 → Fortinet FortiGate firewalls
| File | Description |
|---|---|
| favicons_table.md | Visual version of the dataset with inline favicon thumbnails |
| identified.csv | Main dataset — hash, product name, description, CPE, MD5, SHA256, pHash, and top favicon paths |
| favicon_paths.txt | Some popular (based on Shodan) URL paths to probe |
| images/favicons/ | 3,300 favicon images named {hash}.png |
| images/blog/ | Additional Supporting images |
| pHash.md | Learning experiment — exploring perceptual hashing for fuzzy favicon matching |
| Field | Description |
|---|---|
favicon_hash |
MurmurHash3 of the base64-encoded favicon (signed 32-bit) |
name |
Product name |
description |
Product description |
cpe |
CPE 2.3 identifier where known |
md5 |
MD5 of the raw favicon bytes |
sha256 |
SHA-256 of the raw favicon bytes |
phash |
Perceptual hash (for fuzzy image matching) |
phash_legacy |
Legacy perceptual hash variant |
top_path_1 / top_path_2 |
Most common URL paths this favicon is served from |
A missing path means it was an inline data link.
Script and logic used to check initial AI workflow
scripts/nuclei_extract.py mines a local checkout of nuclei-templates for favicon hashes and cross-references them against the dedicated favicon detection template (http/technologies/favicon-detect.yaml).
python3 scripts/nuclei_extract.py
# optional overrides:
# --templates ~/nuclei-templates
# --data-dir data/
It pulls hashes from two sources:
- Metadata fields —
shodan-query: http.favicon.hash:HASHandfofa-query: icon_hash=HASHin a template'sinfo.metadatablock. Description is derived frominfo.classification.cpefirst, thenmetadata.product, then the template name. - DSL matchers —
"HASH" == mmh3(base64_py(body))expressions inhttp[].matchers[], as used byfavicon-detect.yaml. Description comes from the matcher'sname:field.
When a hash appears in both sources the metadata entry wins (it carries CPE and richer context); the DSL source is recorded in the in_favicon_detect flag.
Outputs written to data/:
| File | Description |
|---|---|
| data/known_favicons.json | Hash → {description, cpe, template, nuclei_name} — consumed by import scripts |
| data/nuclei_comparison.csv | All hashes found, with in_favicon_detect flag, sorted by template path |
| data/nuclei_comparison.md | Same data as a markdown table for browsing on GitHub |
The comparison makes it easy to see which hashes are covered only by a specific CVE or panel template but have not yet been added to favicon-detect.yaml, and vice versa.
This was then ingested and my workflow ran against these first.
favicon_paths.txt lists paths organised into three groups:
- Manifest/config files —
browserconfig.xml,site.webmanifest,manifest.json— these reference favicon locations and can be fetched first to find non-standard paths - Shodan high-percentage paths — paths most commonly seen in indexed data
- Common static/build paths — framework-conventional locations (
/public/,/assets/,/static/)