Skip to content

Fingerprint Web Server

OWASP Web Security Testing Guide 4.2 > 1. Information Gathering > 1.2. Fingerprint Web Server

ID Link to Hackinglife Link to OWASP Objectives
1.2 WSTG-INFO-02 Fingerprint Web Server - Determine the version and type of a running web server to enable further discovery of any known vulnerabilities.

Passive fingerprinting

Whois

 whois $TARGET
whois.exe <TARGET>

Basic:

curl -I <domain.com>
  • nmap.
    # Grab banner of services in an IP
    nmap -sV --script=banner $ip
    
    # Grab banners of services in a range
    nmap -sV --script=banner $ip/24
    
  • telnet
  • openssl
    openssl s_client -connect target.site:443
    HEAD / HTTP/1.0
    
    • sending malformed request (with SANTACLAUS method for instance):
      GET / SANTACLAUS/1.1
      
  • Some targets obfuscate their servers by modifying headers, but, there is a default ordering in the headers response, so you can do some guessing from ordering too.

Automatic scanning tools

netcraft, nikto.

Netcraft can offer us information about the servers without even interacting with them, and this is something valuable from a passive information gathering point of view. We can use the service by visiting https://sitereport.netcraft.com and entering the target domain. We need to pay special attention to the latest IPs used. Sometimes we can spot the actual IP address from the webserver before it was placed behind a load balancer, web application firewall, or IDS, allowing us to connect directly to it if the configuration.

Active fingerprinting

HTTP headers and HTML Source code

  • Note the response header Server, X-Powered-By, or X-Generator as well.
  • Identify framework specific cookies. For instance, the cookie CAKEPHP for php.
  • Review the source code and identify <meta> or attributes with typical patterns from some servers (and/or frameworks).
nmap -sV -F target
Last update: 2024-09-12
Created: December 24, 2023 11:19:43