So, in my short lived career of a penetration tester, I have performed around 4 external security assessments. Each assessment consisted of a scope of less than 20 public IP addresses, to which brute force and denial of services attacks were not permitted. On each occassion 1 or more of the following services are identified in during a full TCP and UDP Port scan.
Taking away ports 80, 443 and 8080 where dependant on whether there is a website available publically and not secured so that only particular IP addresses can connect to it I often find that the assessment is not very fruitful.
So what testing do I perform? Well on an FTP service I will check to see if anonymous access is permitted, weak credentials are in use (without running hydra to bruteforce as apparently this is not permitted??), grab banner and check for vulnerabilities in software, on most ocassions I pretty much can only report on the fact that FTP is clear text! Am I missing something or is this how all external network penetration tests are?