Turn "what’s running" into "what’s weak." Match service versions to known vulnerabilities, use a scanner to cast a wide net, and separate real risk from noise.
Why: most findings are known vulnerabilities in identified software, so you map each service version to its published CVEs and exploits rather than inventing attacks. When: after enumeration, look up every version you found. Where: this is exactly what defenders do in reverse — patch management closes these same CVEs, which is why the vulnerability assessment overlaps with defense.
# Search for known exploits matching an identified version (local DB):
searchsploit vsftpd 2.3.4
searchsploit apache 2.2.8
# Cross-reference the CVE details (severity, exploitability) before acting.
# Defensive mirror: patching these versions removes the finding entirely.Why: a vulnerability scanner (OpenVAS, Nessus, Nuclei) checks many services against a large database of known issues quickly, casting a wide net you then verify by hand. When: use it to prioritize, not as the final word — scanners produce false positives. Where: automated scanning is the core of a vulnerability assessment, a distinct (and very common) engagement type.
# Fast, template-based scanning of an in-scope target:
nuclei -u http://192.168.56.101
# Full scanners (OpenVAS / Nessus) run authenticated + unauthenticated checks
# and produce a rated report. Treat results as LEADS, not conclusions.Why: scanners flag "potential" issues and are frequently wrong, so every finding must be manually verified before it goes in a report — a false positive erodes trust and wastes the client’s time. When: confirm each high/critical finding by hand, and rate real risk by likelihood and impact. Where: this triage discipline is shared with defensive vulnerability management (prioritize, verify, remediate, re-scan).
For every scanner finding:
1. VERIFY manually — is it actually exploitable in this context?
2. RATE the real risk — likelihood x impact, not just the CVSS number
3. PRIORITIZE — critical + reachable first
4. record EVIDENCE — you'll need it for the report
A report full of unverified scanner output is worse than no report.