A powerful reconnaissance tool for extracting and analyzing favicons from websites. FavInfo extracts favicons, calculates multiple hash formats (Murmur3, MD5, SHA256), identifies technologies, and generates search engine queries for threat intelligence and asset discovery.
- π Automatic Favicon Extraction: Scrapes favicons from HTML or falls back to
/favicon.ico - π― Multiple Hash Algorithms: Calculates Murmur3, MD5, and SHA256 hashes (MD5/SHA256 in JSON mode only)
- π οΈ Technology Identification: Matches favicon hashes against fingerprint database
- π Search Engine Integration: Generates queries for Shodan, FOFA, Censys, ZoomEye, and Quake (JSON mode)
- π Flexible Output: Simplified format for batch processing or detailed JSON format
- β‘ High Performance: Concurrent processing with configurable workers (default 50) for scanning thousands of URLs efficiently
- π Security Focused: Supports custom User-Agents and TLS configuration
- π₯ Auto-Download: Automatically downloads fingerprint database from GitHub if not found
go install github.com/rix4uni/favinfo@latest
wget https://github.com/rix4uni/favinfo/releases/download/v0.0.7/favinfo-linux-amd64-0.0.7.tgz
tar -xvzf favinfo-linux-amd64-0.0.7.tgz
rm -rf favinfo-linux-amd64-0.0.7.tgz
mv favinfo ~/go/bin/favinfo
Or download binary release for your platform.
git clone --depth 1 https://github.com/rix4uni/favinfo.git
cd favinfo; go install
Usage of favinfo:
--concurrent int Number of URLs to process concurrently (default 50)
--fingerprint string Path to the fingerprint.json file (default: $HOME/.config/favinfo/fingerprint.json or ./fingerprint.json)
--json Output results in JSON format
--silent Silent mode.
--source Enable source output for where the url coming from scraped or added /favicon.ico
--timeout duration Set the HTTP request timeout duration (default 30s)
-H, --user-agent string Set the User-Agent header for HTTP requests (default "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36")
--version Print the version of the tool and exit.
echo "https://www.google.com" | favinfocat subs.txt | favinfoecho "example.com" | favinfo --timeout 30s --user-agent "Custom Agent" --sourceecho "https://www.google.com" | favinfo --json| Flag | Short | Description | Default |
|---|---|---|---|
--concurrent |
Number of URLs to process concurrently | 50 |
|
--timeout |
HTTP request timeout | 30s |
|
--source |
Show source of favicon URLs | false |
|
--user-agent |
-H |
Set custom User-Agent | Mozilla/5.0... |
--fingerprint |
Path to fingerprint.json | Auto-detected | |
--json |
Output in JSON format (full details) | false |
|
--silent |
Silent mode (no banner) | false |
|
--version |
Print version and exit | false |
Note: Default output is simplified format (URL [hash1, hash2]). Use --json flag for detailed output with all hashes and search engine queries.
FavInfo uses a fingerprint database to identify technologies based on favicon hashes. The tool automatically looks for the database in:
$HOME/.config/favinfo/fingerprint.json(recommended)./fingerprint.json(current directory)
If the database is not found in either location, FavInfo will automatically:
- Create the
~/.config/favinfo/directory if it doesn't exist - Download
fingerprint.jsonfrom the GitHub repository - Save it to
~/.config/favinfo/fingerprint.json
The download message is shown unless --silent flag is used.
echo "example.com" | favinfo --fingerprint /path/to/custom/fingerprint.jsonThe default output format is optimized for batch processing thousands of URLs. It shows only the URL and Murmur3 hash(es):
https://www.google.com [708578229]
https://www.bing.com [-583637433]
https://example.com [123456789, 987654321]This format:
- Only calculates Murmur3 hash (fastest processing)
- Skips MD5/SHA256 calculations and fingerprint lookups
- Perfect for scanning large lists of subdomains
{
"input_url": "https://www.google.com",
"favicon_url": "https://www.google.com/favicon.ico",
"murmur_hash": 708578229,
"md5_hash": "f3418a443e7d841097c714d69ec4bcb8",
"sha256_hash": "6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770",
"technology": "google",
"search_queries": {
"shodan": "http.favicon.hash:708578229",
"fofa": "icon_hash=\"708578229\"",
"censys": "services.http.response.favicons.md5_hash=\"f3418a443e7d841097c714d69ec4bcb8\"",
"zoomeye": "iconhash:708578229",
"quake": "favicon.hash:708578229"
}
}- Shodan:
http.favicon.hash:123456789 - FOFA:
icon_hash="123456789" - Censys: MD5 and SHA256 hash searches
- ZoomEye:
iconhash:123456789 - Quake:
favicon.hash:123456789
- Identify infrastructure belonging to specific organizations
- Track threat actor infrastructure across different services
- Discover related assets through favicon correlation
- Find all instances of a particular technology stack
- Map organizational digital footprint
- Identify shadow IT resources
- Fingerprint target technologies for vulnerability analysis
- Discover related subdomains and infrastructure
- Enumerate external attack surface
# Fast batch processing with simplified output (default, 50 concurrent workers)
cat urls.txt | favinfo --timeout 15s --silent > hashes.txt
# High-performance batch processing with custom concurrency
cat urls.txt | favinfo --timeout 15s --concurrent 100 --silent > hashes.txt
# Detailed batch processing with JSON output
cat urls.txt | favinfo --timeout 15s --json > results.json# Extract domains from subfinder and get favicon hashes (simplified output)
subfinder -d example.com | favinfo --silent
# Get detailed JSON output for specific analysis
echo "example.com" | favinfo --json | jq '.murmur_hash'
# Process thousands of URLs efficiently with simplified output
cat urls.txt | favinfo --silent > hashes.txtCreate your own fingerprint database by adding entries to fingerprint.json:
{
"123456789": "Custom Technology",
"987654321": "Internal Application v1.0"
}- Linux/Mac:
$HOME/.config/favinfo/fingerprint.json - Windows:
%USERPROFILE%\.config\favinfo\fingerprint.json