Today I stumbled upon Shodan, a search engine for devices and services.
I decided to search for Citrix and this was the first page of results:![]()
It's interesting to see that we get details such as the name of published applications. But it's possible to get even more details:
Seems like this is an old XenApp Server (or perhaps even Presentation Server) that's directly connected to the internet.
Let's attempt to connect with RDP:
Wow someone doesn't care much about security!
Let's try another one:
Seeing other services such as Oracle in the list made me think of other searches.
Sharename:
Searching for Metaframe brings up numerous old unpatched systems. The screenshot below is from a hotel which offers a lot of services (phun intended):
They must be secure though because they have a firewall.
What about a bank with telnet?
Searching for Remote Desktop even shows screenshots:
If you register for an account you can get an api key for automated queries. Combine it with Metasploit and serve up a list of exploitable systems of your liking!