2) telnet to port 80 and do a HTTP HEAD request and examine the HTTP "Server" response header, eg:

user@hostname:~$ telnet www.example.com 80
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.
HEAD / HTTP/1.0

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2005 15:28:44 GMT
Server: Apache/1.3.31 (Unix)
Connection: close
Content-Type: text/html

Connection closed by foreign host.
user@hostname:~$

Of course, just because a website is hosted on a linux box, it doesnt mean they know anything about linux or PHP :) I suggest you look at other ways to determine their qualifications.

Watch out -- some servers have intrusion detection software that will get overexcited at having servers being nmap'ped. These days people are very paranoid.

One so-called developer I ran across had all his customers static HTML pages running as ".PHP" because as he said in his own words:

"I can charge more for a PHP page than I can for just an HTML page"

He saw them coming and gouged them good.

Top drawer security!

Indeed you can nmap any of my servers but if you Telnet to port 80 and ask for the headers you just get a 501 error and it closes the connection.

What about a GET on robots.txt? :) The request type, HEAD,GET,POST or whatever is mostly irrelivent. A HTTP Server response header which can be VERY easily modified in both Apache 1.3.x, 2.x, as well as Boa by anyone with a little C programming experience. This will also affect what netcraft records. Thus, relying on HTTP Server headers as a means of host OS identification is not always a good idea.

An OS TCP fingerprint would be a lot harder to change because you would (i suspect) be changing the way the TCP stack in the kernel operates - It might be possible, i've never tried.

This only means that you made an incorrect HTTP request! :)

press = to see what server a page is running on