Uncovering Hidden Subdomains with Favicons: Advanced Enumeration Techniques
Effortlessly Discover Subdomains with Favicon Hashing and Advanced Recon Techniques
Introduction
Subdomain enumeration is a critical aspect of penetration testing and bug bounty hunting. Attackers can often uncover subdomains that might expose sensitive or overlooked assets. While many techniques exist for subdomain enumeration, using a website’s Favicon is a lesser-known, but powerful method. Favicons are small icons displayed on a browser tab or bookmarks, but their fingerprints can be leveraged to identify hidden subdomains or services.
In this post, we’ll walk through a practical, hands-on example using Favicon hashes for subdomain enumeration, delve into the tools involved, and explore advanced techniques for enumeration.
Understanding Favicon Hashing for Subdomain Enumeration
Favicons are tied to websites and often stay consistent across subdomains. By calculating the hash of a Favicon, you can identify other subdomains that may share the same Favicon, suggesting they belong to the same domain or infrastructure.
A common approach is using the favicon.ico file, which is publicly available and often found at https://<domain>/favicon.ico. Once downloaded, we can generate a hash and use it to find related subdomains across various platforms.
