Re: favicon survey script

[David Fifield <david () bamsoftware com>]

On Thu, Aug 06, 2009 at 08:27:24AM +0200, Vlatko Kosturjak wrote:
> David Fifield wrote:
> > Vlatko, did you ever finish mapping the hashes back to favicons in your
> > research?
>
> Yes, I did. But extracted only top 10 from each survey done
> (dmoz,80,443) and have summarized that into favicon-db (just updated
> favicon-db in attachment to reflect survey done).
>
> 09b565a51e14b721a323f0ba44b2982a:Google web server
> 506190fc55ceaa132f1bc305ed8472ca:SocialText
> 2cc15cfae55e2bb2d85b57e5b5bc3371:PHPwiki
> 389a8816c5b87685de7d8d5fec96c85b:XOOPS cms
> e6a9dc66179d8c9f34288b16a02f987e:Drupal cms
> f1876a80546b3986dbb79bad727b0374:NetScreen WebUI
> 226ffc5e483b85ec261654fe255e60be:Netscape 4.1
> b25dbe60830705d98ba3aaf0568c456a:Netscape iPlanet 6.0
> 41e2c893098b3ed9fc14b821a2e14e73:Netscape 6.0 (AOL)
> a28ebcac852795fe30d8e99a23d377c1:SunOne 6.1
> 71e30c507ca3fa005e2d1322a5aa8fb2:Apache on Redhat
> d41d8cd98f00b204e9800998ecf8427e:Zero byte favicon
> dcea02a5797ce9e36f19b7590752563e:Apache (seen on CentOS/Debian/Fedora)
> 6f767458b952d4755a795af0e4e0aa17:Yahoo!
> 5b0e3b33aa166c88cee57f83de1d4e55:DotNetNuke (http://www.dotnetnuke.com)
> 7dbe9acc2ab6e64d59fa67637b1239df:Lotus-Domino
> fa54dbf2f61bd2e0188e47f5f578f736:Wordpress
> 6cec5a9c106d45e458fc680f70df91b0:Wordpress - obsolete version
> 81ed5fa6453cf406d1d82233ba355b9a:E-zekiel
> ecaa88f7fa0bf610a5a26cf545dcd3aa:3-byte invalid favicon: domain sellers
> 4eb846f1286ab4e7a399c851d7d84cca:Plone cms
> c1201c47c81081c7f0930503cae7f71a:vBulletin forum
> edaaef7bbd3072a3a0c3fb3b29900bcb:Powered by Reynolds Web Solutions (Car sales CMS)
> d99217782f41e71bcaa8e663e6302473:Apache on Red Hat/Fedora
> 4644f2d45601037b8423d45e13194c93:Apache Tomcat
> a8fe5b8ae2c445a33ac41b33ccc9a120:Cannot find server(Access to this web page is currently unavailable.). Let us know - 
> please submit! 
> d16a0da12074dae41980a6918d33f031:ST 605
> befcded36aec1e59ea624582fcb3225c:SpeedTouch
> e4a509e78afca846cd0e6c0672797de5:i3micro VRG

Awesome. I would prefer to keep only the hashes that we have measured to
be common. João Correa is going to do some scanning and Brandon Enright
has been scanning as well.

The hash A8FE5B8AE2C445A33AC41B33CCC9A120 is by far the most common one
I found in my scanning, and I think in Brandon's too. Just like you
noted, it is really HTML text:

<html><head><title>Cannot find server</title></head><body>
<br>Access to this web page is currently unavailable.<P><HR></BODY></HTML>

It would be good to know what software produces this. There's an entry
in nmap-service-probes that matches it, for "Arris cm450 cable modem
http config". My guess is that it's probably broader than that, given
its prevalence.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org