What Should I Look for in Reconnaissance?

Title says it really. I found 2 IPs (different networks but linked in terms of company) and I know their operating systems and ports but they're just the standard email ports. What should I look for now? I know what they're running on the server side and the webserver version for one of them. Should I try to find the versions of php they're to see if there is any exploits? I know one of the websites has a reflected xss vulnerability but it filters out