Auticon: Scanning favicons of a country
2023-09-29
After reading the book 'Tracers in the Dark' by Andy Greenberg, I got a taste for analyzing bigdata again.
During a long car ride an old Twitter post came to my mind, here favicons were scanned and hashed "internet wide".
I wanted to recreate this for a small european country and scan all favicons of their ASNs.
So the project AUTicon was born - a pun between Austria and Favicons.
Getting the Data
As i was typing the first few lines in vim to build a small script i had another idea - HTTPX!
Since I use httpx in most of my external engagements and it got all the features I need, the decision to switch last second was easy.
After I got the ASNs and IP ranges via ipinfo.io and hackertarget.com I could start the first scan
httpx -l targets.txt test -favicon -title -ip -verbose -o output -verbose
Making Sens of it
While the Scan was running I created a way to analyze the data. The idea was following:
- Convert Data from HTTPX into CSV
cat httpx.txt | sed -r "s/\x1B\[([0-9]{1,3}(;[0-9]{1,2};?)?)?[mGK]//g" | awk -F "[" 'BEGIN{OFS = ";"}{print $1, $4, $2}' | tr -d "]" | tee ../test.csv - Import the CSV into a database table
create table run1 (url varchar(1000), faviconhash varchar(1000), title varchar(1000))load data infile '~/auticon/run1.csv' into table run1 CHARACTER SET 'latin1' fields terminated by ';' (url, @2, @3) SET faviconhash = NULLIF(@2, ''), Title = NULLIF(@3, ''); - Query the Data!
select faviconhash, count(*) as count from test group by faviconhash order by count desc;
Seems like Gitlab is the Topboy in this ASN:
Doing the same with the completed run, results in following Data:
+-------------+---------------------------------------------------------------+-------+
| faviconhash | title | count |
+-------------+---------------------------------------------------------------+-------+
| -1997862060 | FRITZ!Box | 73929 |
| -219752612 | FRITZ!Box | 31552 |
| 1768726119 | Outlook | 4815 |
| 945408572 | NULL | 3433 |
| 167837543 | Nextcloud | 1800 |
| -325082670 | - Error - 403 | 1169 |
| 631108382 | Otto Woehr - Virtual Office | 1101 |
| 999357577 | NULL | 1074 |
| 1601194732 | User Portal | 1034 |
| -440644339 | USG FLEX 100 | 1018 |
| 1045696447 | User Portal | 805 |
| -404383634 | FortiGate | 609 |
| -2114287660 | AiCloud | 438 |
| 1320585097 | NULL | 339 |
| 1924358485 | RouterOS router configuration page | 316 |
| -677167908 | NULL | 316 |
| -332324409 | STARFACE VoIP Software | 312 |
| -1579795116 | Loading... | 270 |
| 1405460984 | pfSense - Login | 258 |
| 878647854 | BIG-IP logout page | 258 |
| 970132176 | 3CX Phone System Management Console | 245 |
| -1677255344 | EdgeOS | 230 |
| 279720073 | Securepoint UTM v12 - Admin Interface - 12.4.4.1 (c65bdb15e) | 217 |
| 390404864 | UniFi OS | 211 |
| -134375033 | Web Server's Default Page | 210 |
| -766957661 | MDaemon Webmail | 208 |
| 1787406232 | Home Assistant | 205 |
| -38705358 | Reolink | 197 |
| -1697776607 | Gira HomeServer 4 | 180 |
| -1148190371 | Login | OPNsense | 178 |
+-------------+---------------------------------------------------------------+-------+