loading
loading
OSINT
Look up the real IP of a host starting from its favicon and using Shodan.
overview
favup finds a site's real origin IP by hashing its favicon and searching Shodan for hosts that serve the same icon. When a site sits behind Cloudflare, another CDN, or a WAF, the front-end IP hides the origin, but the origin server usually still returns the identical favicon, so the hash leads straight back to it. That makes favup a practical way to get past front-end protection during recon.
It accepts several starting points: a list of domains, a list of full icon URLs, a single favicon URL, a local favicon file, or a precomputed favicon hash to search the whole internet. A Shodan API key, passed inline with -k or as a file with -kf, drives every lookup, so coverage tracks whatever Shodan has indexed for that icon.
On Trickest, favup is an OSINT node that takes a domain or URL list and writes a folder and a file of results. Reach for it when you need the origin behind a protected host, then feed the recovered IPs into port scanning or direct probing that skips the CDN.
source github.com/pielco11/fav-up
use cases
Hash the favicon and search Shodan to recover the origin IP behind a site fronted by Cloudflare, another CDN, or a WAF, so testing can target the real server instead of the front end.
Feed a file of domains with -wl and let favup look up the origin for each one, building a map of hosts and the IPs that serve them.
Supply a precomputed favicon hash with -fh and query Shodan across the whole internet to surface every host serving that exact icon, including mirrors and staging copies.
Pass the origin IPs into a port scanner such as naabu or a prober so the rest of the workflow hits the origin directly, bypassing the protective front end.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| web-list | FILE | -wl | File listing the domains to look up. |
| favicon-web | STRING | -w | Single domain to look up when you know it serves a favicon but not the icon's URL. |
| url-list | FILE | -ul | File listing the full URLs of all icons to look up. |
| favicon-url | STRING | -fu | URL where the favicon resides. |
| favicon-hash | STRING | -fh | Precomputed favicon hash to search across the whole internet. |
| favicon-file | FILE | -ff | Local favicon file to hash and look up. |
| api-key | STRING | -k | Shodan API key passed inline. |
| api-key-file | FILE | -kf | File to read the Shodan API key from. |
Showing key inputs. favup exposes 9 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| api-key | STRING | -k | Shodan API key passed inline. |
| url-list | FILE | -ul | File listing the full URLs of every icon to look up. |
| web-list | FILE | -wl | File listing the domains to look up. |
| favicon-url | STRING | -fu | URL where the favicon resides. |
| favicon-web | STRING | -w | Domain to look up when you know it serves a favicon but not the icon's URL. |
| api-key-file | FILE | -kf | File to read the Shodan API key from. |
| favicon-file | FILE | -ff | Local favicon file to hash and look up. |
| favicon-hash | STRING | -fh | Precomputed favicon hash to search across the whole internet. |
| favicon-list | FILE | -fl | File listing the full paths of all local icons to look up. |
example
# recover the origin IP behind a CDN from a domain's faviconpython3 favUp.py -w example.com -k <shodan-api-key>[+] Loaded Shodan API key[+] example.com -> favicon hash: -1655836657[+] Querying Shodan: http.favicon.hash:-1655836657[+] Found 3 host(s) for example.com 198.51.100.23 198.51.100.24 203.0.113.9[+] Results written to favup-results.jsonguidance
Use favup when a target hides behind a CDN or WAF and you need its origin IP. It depends on Shodan, so a key is required and results reflect what Shodan indexed. For fingerprinting tech by favicon instead, use favfreak.
Hashes favicons to fingerprint tech and build Shodan dorks. favup instead resolves the origin IP behind one.
Finds origin servers by comparing responses. A different signal than favup's favicon-hash lookup.
General Shodan querying. favup wraps it specifically around the favicon-hash origin lookup.
faq
related
Look up DNS records on DNSDumpster.
Look up a host on DNSDumpster.
Find lookalike domains adversaries use for typosquatting, phishing, and brand impersonation.
List all public repositories for valid GitHub usernames.
Gather email account intelligence from public sources and check it against breach data.
Collect a dossier on a person by username across thousands of sites.
A domain list feeds favup, which resolves origin IPs via Shodan favicon hashes, then naabu port-scans them and writes the results as output.
Facts on this page come from the live Trickest tool library.