30

I'm trying to detect what web server a particular website uses. For instance whether it's nginX, Apache, Tomcat and so on.

I usually use Live HTTP Headers Firefox add-on. The problem is that sites sometimes hide their back-end. Isn't there a way to detect web servers when they're not present in HEADER?

EDIT 1:
A sample output from a website that didn't match to any of the @Question Overflow's answer: 

HTTP/1.1 200 OK Date: Mon, 29 Sep 2014 10:43:29 GMT Content-Type: text/html Transfer-Encoding: chunked X-Powered-By: VideoHosting Framework/1.0.1 Cache-Control: no-cache, must-revalidate, no-cache="Set-Cookie", private Content-Encoding: gzip Vary: Accept-Encoding Server: Videohost/1.0.1

I even tried to use httprint on linux but it gives ICMP request timeout on every website I tested.

EDIT 2:
The above HEADER is very similar to a website that I'm sure it uses nginX. If we remove those parts that are not present (Connection, Pragma and so on) in the above HEADER, it gets so similar to nginX. I suppose Server is at the end of the response because they have customized it themeselves. And because of that nginX appended it to the end of the Response packet.

HTTP/1.1 200 OK Server: nginx Date: Mon, 29 Sep 2014 12:51:37 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Encoding: gzip

OWASP should update its list with this one as well for nginX. ;-)

Improve this question
1
  • Use option -P0 to turn off the ICMP probe. ICMP is disabled on some servers, e.g. amazon aws. Commented Feb 16, 2016 at 20:34

3 Answers 3

Reset to default
29

If a website does not use a custom built server to modify the HTTP headers, you can try by examining the order of arrangement in the HTTP response fields. From OWASP:

Apache 1.3.23 server:

HTTP/1.1 200 OK Date: ... Server: ... Last-Modified: ... ETag: ... Accept-Ranges: bytes Content-Length: ... Connection: ... Content-Type: text/HTML

Microsoft IIS 5.0 server:

HTTP/1.1 200 OK Server: ... Expires: ... Date: ... Content-Type: text/HTML Accept-Ranges: bytes Last-Modified: ... ETag: ... Content-Length: ...

Netscape Enterprise 4.1 server:

HTTP/1.1 200 OK Server: ... Date: ... Content-type: text/HTML Last-modified: ... Content-length: ... Accept-ranges: bytes Connection: ...

SunONE 6.1 server:

HTTP/1.1 200 OK Server: ... Date: ... Content-length: ... Content-type: text/html Date: ... Last-Modified: ... Accept-Ranges: bytes Connection: ...

For further confirmation, you can send a malformed request, such as GET / HTTP/3.0, to elicit a non-standard response. Example:

Apache 1.3.23 and SunONE 6.1 servers:

HTTP/1.1 400 Bad Request

Microsoft IIS 5.0 server:

HTTP/1.1 200 OK

Netscape Enterprise 4.1 server:

HTTP/1.1 505 HTTP Version Not Supported

As the above information is pretty outdated, you may want to install a pentesting tool like httprint for automated web server fingerprinting.

Web servers can obfuscate their signature or masquerade themselves as another server. Take the information with a pinch of salt, if you must.

Improve this answer
3
  • Thanks. It's weired that OWASP has not listed NginX as one the web servers?! httprint gives ICMP timeout and didn't work for any site. Commented Sep 29, 2014 at 10:40
  • 1
    Your OWASP approach solved the problem. +1 Commented Sep 29, 2014 at 12:57
  • @AlirezaHos, OWASP is just showing some basic examples, hence NginX is not shown. Are the servers you are testing ICMP-enabled? Commented Feb 16, 2016 at 20:29
7

You can try looking if you can get the server to display a native error page. Error pages can be customized by a web developer, but when they aren't, they often reveal a lot of information about the web server.

For example, this is the 404 Not Found error page of Apache 2.2.4 running on Unix:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /server-status was not found on this server.</p> <hr> <address>Apache/2.2.4 (Unix) mod_antiloris/0.4 Server at example.com Port 3128</address> </body></html>

And this is the 400 Bad Request error page (obtained by sending an HTTP request consisting of only GET / HTTP/1.1 using telnet) sent by the same server:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>400 Bad Request</title> </head><body> <h1>Bad Request</h1> <p>Your browser sent a request that this server could not understand.<br /> </p> <hr> <address>Apache/2.2.4 (Unix) mod_antiloris/0.4 Server at 203.0.113.113 Port 3128</address> </body></html>
Improve this answer
2
  • 1
    The easiest way is trying to access to the .htaccess file. In most servers, it will trigger the error 300. Most famous websites have that part covered up. Commented Sep 30, 2014 at 8:21
  • Unfortunately they've customized their page, but thanks for the input. Cheers ;-)))) Commented Sep 30, 2014 at 8:46
-3

Why not just use nmap to detect what web server software is being used?

Improve this answer
1
  • The tools is not important all of them gave the same header result. I need a solution similar to @Question Overflow to detect the web server. Commented Sep 29, 2014 at 12:37

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.