My Favorite Pentest Findings That Shouldn’t Exist Anymore

Every time I run a pentest, I tell myself:

“This will be the engagement where I don’t find anything stupidly obvious.”

And every time, the universe laughs in my face.

Here are some of my favorite pentest findings that absolutely shouldn’t exist in 2025, yet here we are.

1. Default Credentials

If I had a dollar for every:

  • admin:admin
  • root:toor
  • cisco:cisco

…I wouldn’t need to pentest anymore. I’d be on a beach somewhere, ironically logging into the resort Wi-Fi admin panel with admin:admin.

🔧 Reality check:
If your security policy doesn’t mandate changing default creds before production deployment, you’re not doing security. You’re running a public sandbox for attackers.

2. Anonymous FTP

Welcome to 1995. FTP server running with anonymous login and read/write permissions on critical directories.

Bonus points if your backups folder is exposed.
Double bonus if it’s listed in Google search results.

🔧 Reality check:
FTP is dead. Anonymous FTP is necromancy.

3. SMBv1 Still Enabled

Because apparently WannaCry wasn’t traumatic enough for people to disable it.

Every time I see SMBv1 open on an external or internal host, I wonder if I’ve accidentally traveled back in time to 2017.

🔧 Reality check:
There is no valid business justification for SMBv1 in production today. Period.

4. Outdated, End-of-Life Systems Exposed

Oh look, an internet-facing Windows Server 2008 box.
Running RDP.
With no NLA.

It’s like a siren song to attackers:

“Please exploit me. My admins gave up years ago.”

🔧 Reality check:
If you can’t patch it, segment it. If you can’t segment it, decommission it. If you can’t decommission it, at least prepare your incident response playbook because you’ll need it.

5. No MFA on Remote Access

VPN login pages without MFA are the gift that keeps on giving.

Combine with weak credentials harvested from previous breaches, and congratulations, you’re owned.

🔧 Reality check:
Attackers don’t brute force VPNs anymore. They credential stuff. And if you’re not using MFA, you’re basically leaving your front door open with a neon sign that says “Welcome, no keys required.”

6. Sensitive Data in Robots.txt

Because when you want attackers to find your hidden admin panels and dev endpoints, what better place to advertise them than in a public file explicitly designed for web crawlers?

🔧 Reality check:
robots.txt is a suggestion for search engines, not a security control.

Final Thoughts

These findings shouldn’t exist. But they do. Because:

  • IT teams are overworked.
  • Change control is bureaucratic hell.
  • Security is underfunded.
  • And sometimes… people just don’t care.

The real threat isn’t zero-days. It’s 10-year-old misconfigurations no one bothers to fix.

But hey, keep ignoring them. At least my pentest reports stay interesting.

Now if you’ll excuse me, I’m off to check if your Jenkins instance is still open to the world with no auth.