LATER EDIT : Could it be that IIS is not case sensitive for URLs and Apache is and someone could use this information to further increase the confidence factor in OS/WebServer detection?
I was reading about the useful UrlScan tool here and came across
IIS 6.0 does not include the RemoveServerHeader feature because this feature offers no real security benefit. Most server attacks are not operating system?specific. Also, it is possible to detect the identity of a server and information about the operating system by mechanisms that do not depend on the server header.
Of course this stirred my curiosity since I don't understand how you can detect the OS and/or the web server without using the server header. However extensions (.php, .asp, .aspx, .do, .py etc. etc.) cannot be the answer to this question nor looking for "__VIEWSTATE" or similar hidden input fields in the response content.
Is there some secret way that I don't really know about?
EDIT 1 : I assume customized error pages (not the default ones which clearly show the web server; knowing the web server gives you a strong clue about the OS too)
Similar to OS detection, each web server has slight quirks and different behaviors under some conditions that can be detected. I don't know the precise methods of the top of my head. This is frequently done by sending invalid or unusual requests and seeing what the error message or the response is. Apache might handle a particular invalid request slightly differently from IIS.
Some of this will be masked if you have a reverse proxy or load balancer in the path. Instead of learning about your web server the curious person would learn what proxy your using.
It's pretty trivial, actually, even with a proxy in between. For instance, this tool gives you a pretty good idea:
Net-Square's httprint
While this is still a HTTP header inspection technique, there are many other headers other than the server header that different application servers will add to the HTTP response that are indicative of what server they're running.
Some examples from IIS/ASP.NET/Sharepoint:
This isn't a guaranteed method but works in many cases.
Nmap has a feature that discovers the OS running on a server. It's probably not fail proof, but I guess it should work in a reasonable number of servers around the 'net.
Here is the complete reference for that.