Da_Costa wrote:If i understand you, for discover a vulnerability remotely, i have to test all possible exploits for that known vulnerability service?
Not if you can find out which version is running: sometimes you can because it's advertised by the service, sometimes because of a certain feature only available in a new version, etc. Otherwise, detection can be based on trying a certain combination/input that will return an error for vulnerable applications (like adding a quote to a URL to check for SQL injection). And lastly, yes, of course you can go in guns blazing and hope one of the attacks hit. Be careful of not getting locked out because of firewalls, intrusion detection systems or by performing a unforeseen DoS when doing that in real life though.