A new lesson learned. At least, I'm filing it that way so I can jog my memory for future testing engagements.
We tested at a client the other week that claimed to have one Oracle database, running on top of a Windows 2003 server. It turns out that they had another Oracle database, sitting on a Solaris machine. (The IT department didn't know about the database because they didn't administer the machine....a whole other issue.) That wasn't such a big deal, as we had the scripts to test the database with us. However, while a co-worker was interviewing the DBA, he happened to see a MS SQL Server instance on the DBA's monitor. When we got back to the office, I poured through the vulnerability scans looking for a sql server. I found five. Three instances were found on client XP workstations. And, if I had to guess, those instances probably came bundled with specific software that was installed. A whole other issue for these networks. However, I found two instances residing in the data center on servers located there. Knowing this client, I think they were just forgotten, or not included because the databases were not part of a web application. But, they definitely should have been scanned, and it was noted in our initial documentation.
So, after each testing engagement, I'm searching the vulnerability scans for SQL Servers (of any type, for databases not mentioned to us;) both in the datacenter and on the client LAN. And, I'll probably do this early, so we can scan/test the databases the next day.