To massively oversimplfy a huge topic – there are two classes of vulnerability: known and zero-day vulnerabilities.

Known vulnerabilities are documented in systems like the CVS Program. They maintain a list of vulnerabilities by software version and attempt to rank them according to severity. If you are able to fingerprint the version of software (for example, by sending a request to a server and causing it to expose the IIS version number in the response header) then you can look for known vulnerabilities associated with that version of the software and work from there.

Zero-days are publicly unknown or undisclosed vulnerabilities and finding them is significantly more complex and usually requires advanced knowledge and experience working with technology much closer to the metal. An understanding of things like CPU instruction sets, memory allocation, and having skills in software debugging/reverse engineering, etc is often required to discover new vulnerabilities. A researcher might also use techniques like fuzzing to try to crash or elicit an unusual response from a system to identify any potential bugs or holes that could be exploited.

That is a huge oversimplification but hopefully offers some insight.