How can I find out which server OS a particular site is running?

Solution 1:

Many sites will tell you in the HTTP headers:

$ curl -s -I | grep Server
Server: Microsoft-IIS/7.5

$ curl -s -I | grep Server
Server: nginx/0.8.54

Some include the OS and sometimes version:

$ curl -s -I | grep Server
Server: Apache/2.2.9 (Unix)

$ curl -s -I | grep Server
Server: Apache/2.2.3 (Red Hat)

$ curl -s -I | grep Server
Server: Apache/2.2.3 (CentOS)

$ curl -s -I | grep Server
Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.8r DAV/2 PHP/5.3.8

Some write their own web serving software:

$ curl -s -I | grep Server
Server: gws

$ curl -s -I | grep Server
Server: YTS/1.20.10

But some don't send the Server header:

$ curl -s -I 
HTTP/1.1 200 OK
Cache-Control: public, max-age=41
Content-Length: 129706
Content-Type: text/html; charset=utf-8
Expires: Tue, 27 Mar 2012 13:01:46 GMT
Last-Modified: Tue, 27 Mar 2012 13:00:46 GMT
Vary: *
Date: Tue, 27 Mar 2012 13:01:04 GMT

$ curl -s -I 
HTTP/1.1 302 Found
P3P: CP="Facebook does not have a P3P policy. Learn why here:"
Set-Cookie: datr=sbpxT_PpXR9FO5mMTy8pCTjD; expires=Thu, 27-Mar-2014 13:03:45 GMT; path=/;; httponly
Content-Type: text/html; charset=utf-8
X-FB-Debug: VJycxKwQ9bAV0Z/n6jfN1WSFx4pqj2337c1jc+pPlE0=
X-Cnection: close
Content-Length: 0
Date: Tue, 27 Mar 2012 13:03:45 GMT

Any or all of these could be lying. Bart's suggestion of nmap is more likely to be accurate but cannot produce 100% accurate results for the reasons he mentioned. It doesn't even make sense sometimes, for instance with the number of servers that are involved in fulfilling a single HTTP request at Google, their web servers, search servers, database servers, caching servers and whatever else they run could all potentially be using different operating systems and you would have no way of knowing.

Solution 2:

You can look for OS fingerprinting functionality built into NMap.

However, if you're looking for something like "What is Google running?" you won't get far since you won't know what's behind their load balancers, or firewalls will block it, and fingerprinting can only be so accurate so you can get false reports back and you may not get anywhere when the connection is somehow NAT'ed.

Solution 3:

Ask Netcraft: What's that site running? returns "server: gws" (ie Google Web Server).