A system is operating in "promiscuous" mode which allows it to perform packet sniffing.

A router or firewall forwards packets that claim to come from IANA reserved or private addresses, e.g. 10.x.x.x, 127.x.x.x, 217.x.x.x, etc.

A router or firewall forwards external packets that claim to come from inside the network that the router/firewall is in front of.

The permissions for system-critical data in an anonymous FTP account are inappropriate. For example, the root directory is writeable by world, a real password file is obtainable, or executable commands such as "ls" can be overwritten.

An X server's access control is disabled (e.g. through an "xhost +" command) and allows anyone to connect to the server.

IP traceroute is allowed from arbitrary hosts.

ICMP information such as (1) netmask and (2) timestamp is allowed from arbitrary hosts.

ICMP echo (ping) is allowed from arbitrary hosts.

The permissions for a system-critical NIS+ table (e.g. passwd) are inappropriate.

An NIS domain name is easily guessable.

A system-critical NETBIOS/SMB share has inappropriate access control.

A NETBIOS/SMB share password is the default, null, or missing.

A NETBIOS/SMB share password is guessable.

An SNMP community name is the default (e.g. public), null, or missing.

An SNMP community name is guessable.

An unrestricted remote trust relationship for Unix systems has been set up, e.g. by using a + sign in /etc/hosts.equiv.

UDP messages to broadcast addresses are allowed, allowing for a Fraggle attack that can cause a denial of service by flooding the target.

ICMP messages to broadcast addresses are allowed, allowing for a Smurf attack that can cause a denial of service.

A mail server is explicitly configured to allow SMTP mail relay, which allows abuse by spammers.

IP forwarding is enabled on a machine which is not a router or firewall.