Using Google to find vulnerable machines attached to our network is always an eye-opening experience. Imagine finding a printer attached directly through your firewall to the Internet. Well, this happens far more often than you might believe. Johnny Long's Web site is the easiest place to learn how this process is done. Simply redirect the queries in the GHD to your IP address range. Then massage the queries to match your particular routers, switches, printers, and Web servers. Granted, this is tedious work in the beginning but will save you many hours of penetration testing time in the long-term.
The same techniques are used to find privacy data of your employees that may have leaked to the Internet from your network. This process is well refined for any network infrastructure and systems that face the Internet. Where it becomes really interesting is in finding your corporate intellectual property on the Internet... but that is a story for another day. This is the first tool my team uses as it offers high risk results first. A vulnerability that faces the Internet and is known by Google is one that requires immediate attention.
Nessus security scanner
Click for larger view.
The open source Nessus Project was begun in 1998 by Renaud Deraison to compete with the available commercial vulnerability scanners. Nessus is no longer open source, but remains available in a free version that rivals the best commercial alternatives. As a result, Nessus is found in the toolbox of both the well funded and cash strapped security organizations. The difference between the free product and the licensed commercial version of Nessus is how often vulnerability signatures are updated. If you want up-to-the-minute vulnerability updates then opt for the commercial license. If you don't mind waiting seven days for those same updates, then the free product will serve you well.
Nessus has both a Linux/Unix version and a new Windows version (see screen image). The Nessus system consists of a Nessus server, a client, Nessus plug-ins, and the knowledge base. The Windows version provides all these items in a single package, though using it in this fashion is not required.
Nessus tests all aspects of a target including the operating system, ports, services, and applications. Thus the reports may be lengthy but are comprehensive. You'll need to validate the findings as
Nessus, like other network scanners, is prone to false positives.