Technology Fingerprinting

# Server header
curl -I https://target.com | grep -i server

# Common responses
Server: Apache/2.4.41
Server: nginx/1.18.0
Server: Microsoft-IIS/10.0
Server: cloudflare

# Default pages
Apache: /icons/, /manual/
Nginx: 50x.html
IIS: /aspnet_client/

# Error pages
Different styling per server

nmap -sV -p 80,443 target.com
nmap --script http-server-header target.com
nmap --script http-headers target.com

X-Powered-By: PHP/7.4.3
X-Powered-By: Express
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
X-Generator: Drupal 9

# Session cookie names
PHPSESSID → PHP
JSESSIONID → Java
ASP.NET_SessionId → ASP.NET
rack.session → Ruby
laravel_session → Laravel
connect.sid → Express
_rails_session → Rails

.php → PHP
.asp/.aspx → ASP.NET
.jsp → Java
.do → Struts
/wp-admin → WordPress
/node/ → Drupal

<!-- Check source for -->
meta generator
framework-specific classes
JavaScript library includes
<!-- wp-content → WordPress -->
<!-- /sites/default → Drupal -->

wpscan --url https://target.com
wpscan --url https://target.com --enumerate u,p,t
wpscan --url https://target.com --api-token YOUR_TOKEN

droopescan scan drupal -u https://target.com
droopescan scan joomla -u https://target.com

cmsmap https://target.com
cmsmap -t https://target.com -f W  # WordPress

# WordPress
/wp-admin/
/wp-login.php
/wp-content/
/xmlrpc.php

# Drupal
/core/
/sites/
/node/1
CHANGELOG.txt

# Joomla
/administrator/
/components/
/modules/
/templates/

# Magento
/admin
/downloader
/skin/
/js/mage/

wafw00f https://target.com
wafw00f -a https://target.com  # Test all WAFs

Server: cloudflare
X-CDN: Incapsula
X-Sucuri-ID: ...
X-Protected-By: ...
X-Firewall: ...

# Cloudflare
cf-ray header
__cfduid cookie

# AWS WAF
x-amzn-RequestId
awselb cookie

# Akamai
AkamaiGHost
x-akamai-transformed

# Imperva/Incapsula
incap_ses_ cookie
visid_incap_ cookie

# ModSecurity
Mod_Security
NOYB

# Malicious payload to trigger WAF
curl "https://target.com/<script>alert(1)</script>"
# Check response for WAF block page

# Browser extension
# CLI version
wappalyzer https://target.com --pretty

// Check console
React._version
angular.version
Vue.version
jQuery.fn.jquery

// Check global objects
window.React
window.angular
window.Vue
window.$

<!-- React -->
data-reactroot, data-reactid

<!-- Angular -->
ng-app, ng-controller, ng-model

<!-- Vue -->
v-bind, v-model, v-if

<!-- Common includes -->
react.min.js, angular.min.js, vue.min.js

/graphql
/graphql/console
/graphiql
/playground

# Query
{"query": "{__schema{types{name}}}"}

/api/
/api/v1/
/api/v2/
/rest/
/swagger
/swagger.json
/openapi.json
/api-docs

# MySQL
You have an error in your SQL syntax

# PostgreSQL
ERROR: syntax error at or near

# MSSQL
Unclosed quotation mark

# Oracle
ORA-00933: SQL command not properly ended

# MongoDB
cannot convert to object

3306 → MySQL/MariaDB
5432 → PostgreSQL
1433 → MSSQL
1521 → Oracle
27017 → MongoDB
6379 → Redis
9200 → Elasticsearch

whatweb https://target.com
whatweb -v https://target.com
whatweb -a 3 https://target.com  # Aggressive

wappalyzer https://target.com
wappalyzer https://target.com --pretty

https://builtwith.com/
https://w3techs.com/

https://toolbar.netcraft.com/

nmap -sV -p- target.com
nmap -sV --version-intensity 5 target.com

# WordPress
/readme.html
/license.txt
/wp-includes/version.php

# Drupal
/CHANGELOG.txt
/core/install.php

# Joomla
/administrator/manifests/files/joomla.xml

# Apache
/server-status
/server-info

# 1. HTTP headers
curl -I https://target.com

# 2. WhatWeb
whatweb -v https://target.com

# 3. Nmap service detection
nmap -sV -p 80,443 target.com

# 4. WAF detection
wafw00f https://target.com

# 5. CMS-specific
wpscan --url https://target.com # if WordPress

# 6. Browser analysis
# Check Wappalyzer extension
# View source for indicators

- Find known CVEs for versions
- Target CMS-specific vulnerabilities
- Bypass WAF with known techniques
- Identify misconfigurations
- Prioritize testing approach

# After identifying version
searchsploit apache 2.4.49
searchsploit wordpress 5.0

# CVE lookup
https://cve.mitre.org/
https://nvd.nist.gov/