Today a coworker ask me about how to know whick web server is using a website. Usually majority of websites use Microsoft IIS or Apache, of course, there are others. Which is the finality of this? In case of an attack against the website a very important step is know what software is working.
In general, the more we can know of an easier system is to attack it, if we can know the product, the version and even patch level (although this last one is more complex to see), we simplify the work a lot to an attacker that is going to focus , at least, to launch everything that is known and published against that product. If, on the other hand, you do not know what there is, you will have to launch multiple attacks in a trial and error technique.
In our case we are going to use a tool called curl, basically what it does is file transfer (xml, json, raw, …). Supports multiple FTP, FTPS, HTTP, HTTPS, TFTP, SCP, SFTP, Telnet, DICT, FILE and LDAP protocols.
If the website is not securize against this kind of attacks;
curl -s -i http://xxxxxx.xxxxxx.xxx HTTP/1.1 404 Not Found Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Tue, 04 Apr 2018 16:17:36 GMT Connection: close Content-Length: 315 Not Found <h2>Not Found</h2> <hr><p>HTTP Error 404. The requested resource is not found.</p>
HTH – Antonio NAVARRO