I seem to be missing something, and need to be pointed in the right direction if you don't mind. In my lab I have a fully patched Vista and XP box and am attacking with a BT 4 box.

As they are fully patched, Metasploit attacks are a no go. Now, I am assuming that some of the software on each box is exploitable, such as firefox, and various p2p programs I have running.

Although I know what software I have installed, I don't know how an attacker would identify this. How could I find out for instance what software and version the box/user uses to surf the web or download the top 40 say?

The Vista Box:

135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
5357/tcp open unknown
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Microsoft Windows Vista
OS details: Microsoft Windows Vista
Network Distance: 1 hop

The XP box:

139/tcp open netbios-ssn
445/tcp open microsoft-ds
1026/tcp open LSA-or-nterm
2869/tcp closed unknown
5214/tcp open unknown
45100/tcp open unknown
Device type: general purpose|authentication server
Running (JUST GUESSING) : Microsoft Windows XP|2000|2003 (99%), Juniper Windows 2000 (90%)
Aggressive OS guesses: Microsoft Windows XP SP2 (99%), Microsoft Windows XP SP2 or SP3 (97%), Microsoft Windows 2000 SP4 or Windows XP SP2 (96%), Microsoft Windows 2003 Small Business Server (96%), Microsoft Windows Small Business Server 2003 (95%), Microsoft Windows XP Professional SP2 (95%), Microsoft Windows Server 2003 SP1 or SP2 (94%), Microsoft Windows XP Professional SP2 (firewall enabled) (94%), Microsoft Windows Server 2003 SP2 (94%), Microsoft Windows XP SP2 (firewall disabled) (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

googling ports tells me that Limewire has 2 ports open on the XP box, which it does but how would one know which version. Also, Winamp is running on this box (shoutcast radio) but this doesn't seem to be detectable neither does port 80 traffic. How can I gather further information?