Shodan Favicon Hash Search

Master http.favicon.hash to find exposed infrastructure.

The http.favicon.hash filter

Shodan indexes the MurmurHash3 of every favicon it discovers. Search directly:

http.favicon.hash:116323821

High-value hashes

116323821 Spring Boot — check /actuator/env, /actuator/heapdump
1685868140 Jenkins — check /script (Groovy console)
-1399433489 Grafana — CVE-2021-43798 path traversal
-1199763420 pfSense — firewall admin interfaces
1480479042 FortiGate — CVE-2023-27997
1394503582 Citrix NetScaler — CVE-2023-3519
-1886585458 F5 BIG-IP — CVE-2022-1388
-1764111718 SonarQube — exposed source code

Combining filters

http.favicon.hash:116323821 country:US
http.favicon.hash:-1399433489 port:3000
http.favicon.hash:<hash> org:"Target Corp"

FOFA vs Shodan vs Censys

FOFA typically returns 5–10× more results for the same hash. Always query all platforms.

Next: Bug Bounty Recon Guide Generate a Hash