Fingerprint Web Server

OWASP Web Security Testing Guide 4.2 > 1. Information Gathering > 1.2. Fingerprint Web Server

ID	Link to Hackinglife	Link to OWASP	Objectives
1.2	WSTG-INFO-02	Fingerprint Web Server	- Determine the version and type of a running web server to enable further discovery of any known vulnerabilities.

Passive fingerprinting

Whois

 whois $TARGET

whois.exe <TARGET>

Banner grabbing

Basic:

curl -I <domain.com>

• nmap.

  # Grab banner of services in an IP
  nmap -sV --script=banner $ip
  
  # Grab banners of services in a range
  nmap -sV --script=banner $ip/24
  

• telnet
• openssl

  openssl s_client -connect target.site:443
  HEAD / HTTP/1.0
  

• • sending malformed request (with SANTACLAUS method for instance):

    GET / SANTACLAUS/1.1
    

• Some targets obfuscate their servers by modifying headers, but, there is a default ordering in the headers response, so you can do some guessing from ordering too.

Automatic scanning tools

netcraft, nikto.

Netcraft can offer us information about the servers without even interacting with them, and this is something valuable from a passive information gathering point of view. We can use the service by visiting https://sitereport.netcraft.com and entering the target domain. We need to pay special attention to the latest IPs used. Sometimes we can spot the actual IP address from the webserver before it was placed behind a load balancer, web application firewall, or IDS, allowing us to connect directly to it if the configuration.

Active fingerprinting

HTTP headers and HTML Source code

• Note the response header Server, X-Powered-By, or X-Generator as well.
• Identify framework specific cookies. For instance, the cookie CAKEPHP for php.
• Review the source code and identify <meta> or attributes with typical patterns from some servers (and/or frameworks).

nmap -sV -F target

Last update: 2024-09-12
Created: December 24, 2023 11:19:43