File Transfer Protocol (FTP) and Telnet are examples of clear-text protocols, which could be exposed to the perimeter and are usually do not present the risk most automated tools rank them. This is unless the server contains critical data or can lead to critical data access, has known Remote Code Execution (RCE) vulnerabilities, or the solution has default or known credentials within it. They should still not be exposed to the Internet, but they are often not as dangerous as most Vulnerability Management Systems (VMS) rank the weakness. The reason for this is that for an attacker to take advantage of it, he or she has four primary methods of compromising an account.

The most common is by sniffing the credentials, which means that he or she has to be either locally present at the client or server side of the communication, or in the channel through the routed path. The second method is by compromising a system that stores these credentials. The third is by executing some type of social engineering attack, which means that if a user is susceptible to the attack, those credentials may warrant access to many other services as well and not only clear text protocols. The fourth is by executing an online credential attack against the service, such as a password spray, dictionary attack, or brute force. This is not to say that there is no risk related to clear-text protocols, but instead to point out that it is more difficult to exploit than what the VMS solutions advertise.

From years of assessments, compromises, and recommendations brought forth by security engineers, the primary example of exposed services today are web applications. These applications can be on a variety of ports, including nonstandard ports. They are often load balanced and potentially served through complex Content Delivery Networks (CDN), which effectively serve cached versions of the material provided from servers closer to the requesting user base. Additionally, these applications can be served from virtualized platforms that are sandboxed from other systems, within a provider's environment. So, even if you do crack the web application, you may not gain access to the target network. Keep this in mind if you are wondering why you cannot get anywhere after cracking the web application system. Also ensure that you have permission to test networks that are not controlled by the client.

Services such as Remote Desktop Protocol (RDP) and Secure Shell (SSH), for example, often provide direct access to an internal network. These services can be protected by multifactor authentication and they are encrypted, which means that executing Man-in-the-Middle (MitM) attacks is far more difficult. So, targeting these services will depend on which controls are not in place versus the fact that they are present.

In addition to web services, the other most common exposed service to the Internet are VPNs, which include, but not limited to Point-to-Point Tunneling Protocol (PPTP), Internet Security Association and Key Management Protocol (ISAKMP), or others. Attacks against these services are often multistage and require gaining other pieces of information, such as the group name or group password. This would be in addition to the standard username and password to authenticate as the specific user.

Many times, depending on the implementation, you may even need the specific software to associate with the device, such as Citrix or Cisco AnyConnect. Some vendors even have fees associated with the licensing of copies of their VPN software, so even if you do find all the necessary details, you may still need to find a copy of software that works, or the correct version. Additionally, pirating versions of these software components, as against purchasing them, may even open your or your client's network to compromises by using poisoned versions that may have their own liabilities.

We have spoken extensively about the manners in which mail services can be exploited. You will still see these services exposed, which means that there may still be an opportunity to find the desired details.

Services related to identifying Internet Protocol (IP) addresses related to Fully Qualified Domain Names (FQDN). Many times, these may be in the provided IP ranges, but they are actually out of scope, as they are owned by Internet Service Providers (ISP). Additionally, the vulnerabilities of yesterday, such as zone transfers, are not usually exploitable in today's networks.

In addition to the services already mentioned that run as UDP services, you may find Simple Network Management Protocol (SNMP) and Trivial File Transfer Protocol (TFTP). Both of these services can provide details of and access to systems, depending on the information they reveal. SNMP can provide system details if you find the correct community string, and sometimes, it can even provide passwords to the system itself if the version is old enough, though this is much rarer on Internet-facing systems. TFTP, on the other hand, is used as a primary means to back up configurations for network devices, and firewall administrators often mistakenly expose the service to the Internet from a Demilitarized Zone (DMZ) or semi-trusted network.