How can I find out which server OS a particular site is running?
Many sites will tell you in the HTTP headers:
$ curl -s -I hotmail.com | grep Server Server: Microsoft-IIS/7.5 $ curl -s -I pinterest.com | grep Server Server: nginx/0.8.54
Some include the OS and sometimes version:
$ curl -s -I linuxquestions.com | grep Server Server: Apache/2.2.9 (Unix) $ curl -s -I red.com | grep Server Server: Apache/2.2.3 (Red Hat) $ curl -s -I slashdot.org | grep Server Server: Apache/2.2.3 (CentOS) $ curl -s -I bar.com | grep Server Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.8r DAV/2 PHP/5.3.8
Some write their own web serving software:
$ curl -s -I google.com | grep Server Server: gws $ curl -s -I yahoo.com | grep Server Server: YTS/1.20.10
But some don't send the
$ curl -s -I serverfault.com HTTP/1.1 200 OK Cache-Control: public, max-age=41 Content-Length: 129706 Content-Type: text/html; charset=utf-8 Expires: Tue, 27 Mar 2012 13:01:46 GMT Last-Modified: Tue, 27 Mar 2012 13:00:46 GMT Vary: * Date: Tue, 27 Mar 2012 13:01:04 GMT $ curl -s -I www.facebook.com HTTP/1.1 302 Found Location: http://www.facebook.com/common/browser.php P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Set-Cookie: datr=sbpxT_PpXR9FO5mMTy8pCTjD; expires=Thu, 27-Mar-2014 13:03:45 GMT; path=/; domain=.facebook.com; httponly Content-Type: text/html; charset=utf-8 X-FB-Debug: VJycxKwQ9bAV0Z/n6jfN1WSFx4pqj2337c1jc+pPlE0= X-Cnection: close Content-Length: 0 Date: Tue, 27 Mar 2012 13:03:45 GMT
Any or all of these could be lying. Bart's suggestion of
nmap is more likely to be accurate but cannot produce 100% accurate results for the reasons he mentioned. It doesn't even make sense sometimes, for instance with the number of servers that are involved in fulfilling a single HTTP request at Google, their web servers, search servers, database servers, caching servers and whatever else they run could all potentially be using different operating systems and you would have no way of knowing.
You can look for OS fingerprinting functionality built into NMap.
However, if you're looking for something like "What is Google running?" you won't get far since you won't know what's behind their load balancers, or firewalls will block it, and fingerprinting can only be so accurate so you can get false reports back and you may not get anywhere when the connection is somehow NAT'ed.
Ask Netcraft: What's that site running?
http://uptime.netcraft.com/up/graph?site=google.com returns "server: gws" (ie Google Web Server).