first thing is install vmware and setup a linux virtual machine (kali linux comes with most hacking tools preinstalled), then install these packages
nikto - install this and run it against your target website, it looks for all known vulnerabilities
dirb - searches for all common sub directories - really useful for finding admin only sections
metasploit - another epxloit scanner
To be honest the chances of finding a vulnerability on an apache server is almost zero. The only chance you have to hack (or be hacked) is if you are using some out of date addons (joomla, wordpress etc). Apache and even IIS are pretty rock solid.
But there are fun things you can do, for example I found a website that was selling software I wanted, using dirb I found their "hidden" download directory and simply downloaded all their software for free.