Fingerprint Web Server
Check List
Methodology
Banner Grabbing
Connect to the target website’s HTTP service to retrieve server banners, identifying software and version details for potential vulnerability mapping
Manually interact with the HTTP service to capture raw server responses, extracting information about server software, custom headers, or configurations
Fetch HTTP headers from the target to analyze server details, powered-by information, or security headers, uncovering potential misconfigurations or outdated software
Perform stealth scanning and service enumeration on the target, using scripts to extract page titles, headers, supported HTTP methods, and favicon details, building a comprehensive profile of the web server
Use an online service to query the target’s technology stack, gathering details about CMS, frameworks, hosting providers, or server software for reconnaissance
Leverage a DNS reconnaissance tool to enumerate subdomains, DNS records, and associated IP addresses, mapping the target’s infrastructure and potential entry points
Search for web servers by their server header to identify instances running specific software, narrowing down targets for version-specific exploit research
Query SSL certificate fingerprints (SHA-1 or SHA-256) to locate hosts with matching certificates, revealing related domains or misconfigured SSL setups
Identify hosts by SSL certificate common name (CN) to uncover subdomains or assets tied to the target, expanding the attack surface for testing
Detect operating systems via response headers to identify server OS types, prioritizing outdated or vulnerable systems for exploit targeting
Search for powered-by headers to identify backend technologies like PHP or ASP.NET, assessing version-specific vulnerabilities or misconfigurations
Using Automated Scanning Tools
Run a WAF detection tool to identify the presence and type of web application firewall, analyzing bypass opportunities or WAF-specific weaknesses
Use an automated WAF identification tool to confirm firewall presence and fingerprint its technology, aiding in crafting payloads to evade protections
Execute a web fingerprinting tool to detect CMS, frameworks, and server technologies, building a detailed profile of the target’s stack for vulnerability prioritization
Deploy an automated reconnaissance suite to perform comprehensive scanning, combining subdomain enumeration, port scanning, and vulnerability checks for a holistic assessment
Conduct a web vulnerability scan to identify common issues like XSS, SQLi, or misconfigurations, prioritizing findings based on severity and exploitability
Fingerprint GraphQL endpoints on the target to detect exposed APIs, analyzing schema details or misconfigurations for potential data exposure or injection attacks
Cheat Sheet
Banner Grabbing
nc -v $WEBSITE 80telnet $WEBSITE 80curl -I $WEBSITEnmap -sS -sV -Pn --mtu 5000 \
--script http-title,http-headers,http-server-header,http-security-headers \
http-methods,http-put,http-robots.txt,http-favicon \
$WEBSITENetCraft
Dnsdumpster
Server Header
uncover -cs 'services.http.response.headers.server: "nginx"'SSL Certificate SHA-1 Fingerprint
uncover -cs 'services.tls.certificates.leaf_data.fingerprint_sha1: $HASH'SSL Certificate SHA-256 Fingerprint
uncover -cs 'services.tls.certificates.leaf_data.fingerprint_sha256: $HASH'Common Name (CN) in SSL Certificate
uncover -cs 'services.tls.certificates.leaf_data.subject.common_name: "$WEBSITE"'Operating System
uncover -cs 'services.http.response.headers: (key: "OS" and value.headers: "Linux")'Powered By Header
uncover -cs 'services.http.response.headers.x_powered_by: "PHP/7.4.9"'Using Automated Scanning Tools
wafw00f $WEBSITEwhatwaf -u $WEBSITEwhatweb $WEBSITEsniper -t $WEBSITEarachni $WEBSITEgraphw00f -f -t $WEBSITELast updated