In my short time in the infosec space, I have had the pleasure to work with several exploit/vulnerability scanners which attempt to automate the scanning for but also exploitation of vulnerabilities and exploits. In this article, I will go over the main takeaways I've had while working with these tools. I'll give every one of them a number that represents how useful I found them in bug bounties and in pen-testing. I know this is entirely subjective but I hope it will at least give you an indication in combination with the other points I touch on.
Nmap or the network mapper is a very useful tool that I mostly use for portscanning, I combine this with the flags for banner enumeration and default script execution to get me some decently useful results. I start with a scan of the 1000 most popular TCP ports and later add UDP ports before scanning all the ports on a target. This staged attack strategy allows me to run a few scans in the background whenever I am hacking manually without having to wait too long for my results. I really don't want to be sitting around while doing nothing.
Usefulness in bounties: 6/10
While being more useful in broad scope attacks, it never hurts to do a quick port scan if allowed but don't expect too much, companies are getting wiser to open ports and pentesters usually beat you to it.
Usefulness in pentesting: 9/10
Finding open ports that should not be open before they hit production can be a lifesaver. If you leave the wrong ports open, an RCE, LFI or any other combination of 3 letters might cause you a headache. There's no telling what bad actors might do and this is usually where their exploration starts. Preferably you want to shut down banner enumeration if possible for your client as this can give vital information to attackers.
Nikto is a vulnerability scanner that attempts to scan your target for a few popular web exploits such as CVEs, hidden directories, and more. While it may be maintained regularly, it is starting to show its age a bit compared to other tools. While definitely not the best option out there, it has its own merits but you should be sure to run this tool on all web applications running on a server, even on ports that might not be the default 80/443. This is why the Nmap scan is so important, it can reveal hidden webservers on a host. (Also take vhosts into account)
Usefulness in bounties: 6/10
Again, this tool finds most of its merit in broad scope testing while being firmly implemented in a script that tries to chain tools.
Usefulness in pentesting: 9/10
If you do find a web application, it never hurts to run Nikto on it as it does contain a good set of default tests that cover a wide range of topics but beware of false positives! Always make sure you can recreate issues with a PoC.
As the second vulnerability scanner on our list, nuclei by project discovery has proven to be very versatile, allowing you to configure your own templates in the form of HTTP requests which can get executed on a large range of targets. The power of this tool comes both from an impressive list of community-built exploit templates and the ability to create your own.
Usefulness in bounties: 8/10
While running the community-built scripts will probably not get great results unless you find an obscure subdomain, this tool show it's real power when it comes to writing and running your own templates.
Usefulness in pentesting: 9/10
Even the public scripts can bring in some amazing results but when you can automate an exploit, you can provide even more value to your customers as it frees up valuable time for manual testing.