Banners can be very informative: e.g. Apache gives the list of modules. But they may be unreliable.
Fingerprinting looks good, but we just started the implementation. Smtpscan is used; still looking for good HTTP fingerprinting techniques (hmap?)
Configuration options can be detected simply by trying to use them (e.g. HTTP PUT & DELETE)
1st type of attacks: check the version number against a list of vulnerable softwares.
Many other attacks just look like an exploit.
Test order: INIT, SCANNER, SETTINGS, GATHER_INFO, ATTACK, MIXED_ATTACK, DESTRUCTIVE_ATTACK, DENIAL, KILL_HOST