Originally posted here by poohsuntzu
My first peice of advice is completely free:

1. Scan the network by hand. Even if you port scan everything first run by hand checks.
It looks highly impractical.How about port scanning what you plan to do?go on and try to connect to each and every port individually?
what about scanning a system for recently discovered jpeg vulnerability for which microsoft has released a scanner in octomber?
what about trying to find whether a perticular cgi vulnerability exist or not?how you plan to do that?
here is my guess:
1) try to find all default locations for that file(on different server and sometimes on same server)
2)craft a http request for all those default locations send them monitor response and see how it goes right?
what about OS detection?Ok i won't argue about that there are ways to do that.
3)what about webserver specific vulnerability like Webdav how you plan to detect that?

Plz correct me if i am wrong there is surely ways of doing these things by hand but all those mathod are highly impractical and time consuming.....IMHO