Creating a Shodan Dork Using MMH3 Hash

✍️ Valentin Lobstein | 🗓️ Apr 3, 2023

Table of Contents

In this article, we will explore how to create a Shodan dork using the MMH3 hash of the favicon.ico file. This technique allows you to find websites that use the same favicon, which can be useful for reconnaissance and security research.

Installing the Python mmh3 Module

To use the mmh3 module, you must first install it on your computer. You can do this using the following command:

pip install mmh3

Creating a Python Script

Importing the Module

Create a new Python file and import the mmh3 module:

import mmh3

Defining the Hash Generation Function

Define a function that takes a URL as input and returns the MMH3 hash of the favicon.ico file associated with that URL:

def get_favicon_hash(url):
    favicon_url: url + '/favicon.ico'
    hash: mmh3.hash(favicon_url)
    return hash

Using the Function to Generate the Hash

Use the get_favicon_hash() function to generate the MMH3 hash of a particular website:

example_url: 'https://www.example.com'
favicon_hash: get_favicon_hash(example_url)
print(favicon_hash)

Creating the Shodan Query

Use the generated MMH3 hash to build a Shodan query:

shodan_query: 'http.favicon.hash:' + str(favicon_hash)

That’s it! You can now use the Shodan query to find websites that use the same favicon.ico file as the one you analyzed.

Finding the favicon.ico File in a Website’s Source Code

To find the favicon.ico file in a website’s source code, open your web browser and navigate to the website you want to analyze. Right-click on the page and select “View Page Source” or “Show Page Source”. Once the source is displayed, use the search function (usually by pressing Ctrl + F or Cmd + F) to search for the term favicon.ico. If the file is present, you should be able to find a line of code that looks like this:

<link rel="shortcut icon" href="https://www.example.com/favicon.ico">

Complete Example

Here is a complete Python script that demonstrates the entire process:

import mmh3

def get_favicon_hash(url):
    favicon_url: url + '/favicon.ico'
    hash: mmh3.hash(favicon_url)
    return hash

# Example usage
example_url: 'https://www.example.com'
favicon_hash: get_favicon_hash(example_url)
shodan_query: 'http.favicon.hash:' + str(favicon_hash)

print(f"Favicon hash: {favicon_hash}")
print(f"Shodan query: {shodan_query}")