Lookups for real IP starting from the favicon icon and using Shodan.
pip3 install -r requirements.txt- Shodan API key (not the free one)
First define how you pass the API key:
-kor--keyto pass the key to the stdin-kfor--key-fileto pass the filename which get the key from-scor--shodan-clito get the key from Shodan CLI (if you initialized it)
As of now, this tool can be used in three different ways:
-ffor--favicon-file: you store locally a favicon icon which you want to lookup-fuor--favicon-url: you don't store locally the favicon icon, but you know the exact url where it resides-wor--web: you don't know the URL of the favicon icon, but you still know that's there-fhor--favicon-hash: you know the hash and want to search the entire internet.
You can specify input files which may contain urls to domain, to favicon icons, or simply locations of locally stored icons:
-fl,--favicon-list: the file contains the full path of all the icons which you want to lookup-ul,--url-list: the file contains the full URL of all the icons which you want to lookup-wl,--web-list: the contains all the domains which you want to lookup
You can also save the results to a CSV/JSON file:
-o,--output: specify the output and the format, e.g.:results.csvwill save to a CSV file (the type is automatically recognized by the extension of the output file)
python3 favUp.py --favicon-file favicon.ico -sc
python3 favUp.py --favicon-url https://domain.behind.cloudflare/assets/favicon.ico -sc
python3 favUp.py --web domain.behind.cloudflare -sc
from favUp import FavUp
f = FavUp()
f.shodanCLI = True
f.web = "domain.behind.cloudflare"
f.show = True
f.run()
for result in f.faviconsList:
print(f"Real-IP: {result['found_ips']}")
print(f"Hash: {result['favhash']}")| Variable | Type |
|---|---|
| FavUp.show | bool |
| FavUp.key | str |
| FavUp.keyFile | str |
| FavUp.shodanCLI | bool |
| FavUp.faviconFile | str |
| FavUp.faviconURL | str |
| FavUp.web | str |
| FavUp.shodan | Shodan class |
| FavUp.faviconsList | list[dict] |
FavUp.faviconsList stores all the results, the key fields depend by the type of the lookup you want to do.
In case of --favicon-file or --favicon-list:
favhashstores the hash of the favicon iconfilestores the path
In case of --favicon-url or --url-list:
favhashstores the hash of the favicon iconurlstores the URL of the favicon icondomainstores the domain namemaskIPstores the "fake" IP (e.g. the Cloudflare one)maskISPstore the ISP name associated to themaskIP
In case of --web or --web-list:
favhashstores the hash of the favicon icondomainstores the domain namemaskIPstores the "fake" IP (e.g. the Cloudflare one)maskISPstore the ISP name associated to themaskIP
(in this case the URL of the favicon icon is returned by the href attribute of <link rel='icon'> HTML element)
If, while searching for the favicon icon, nothing useful is found, not-found will be returned.
In all three cases, found_ips field is added for every checked entry. If no IP(s) have been found, not-found will be returned.
At least python3.6 is required due to spicy syntax.
Feel free to open any issue, your feedback and suggestions are always welcome <3
Unveiling IPs behind Cloudflare by @noneprivacy
This tool is for educational purposes only. The authors and contributors don't take any responsibility for the misuse of this tool. Use It At Your Own Risk!
Conceived by Francesco Poldi noneprivacy, build with Aan Wahyu Petruknisme
stanley_HAL told me how Shodan calculates the favicon hash.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent