I recently ran a Nessus scan against my outward-facing IP. 

Its information gathering tools discovered a lot of pertinent data.

It correctly identified:

my eth0 MAC.
my wlan0 MAC.
my firewall rules (using iptables -L -n -v -t filter).
my operating system (using uname -a).
the name of my computer (but not the user name).
my programs listed as ESTABLISHED or LISTENING (using netstat)

For example:

"By connecting to the remote host via SSH with the supplied credentials, this plugin enumerates network interfaces configured with IPv4 addresses."

- 127.0.0.1 (on interface lo)

- 93.xxx.xxx.xxx (on interface ppp0)
-
- 128.xxx.xxx.xxx (on interface wlan0)

Nessus gathers this information by sending the queries mentioned earlier (like uname -a) to port 0.

I first assumed that this would be an excellent tool to identify a person as it reveals their real IP (if they are 'hiding' behind a VPN) assuming that wlan0 is not a 192.168.x.x address).

However, I then thought that the 'real' IP address can only be gathered as I was scanning myself.

I need to test this but am I correct to think that if one outward-facing IP uses Nessus to scan a different outward-facing IP then they would not get the 'real' IP addresses like I did when I scanned myself. 

I don't see, for example, how commands like uname and iptables can be run on remote machines across the Internet because, if so, the whole idea of VPNs is rendered pointless.

Thanks!

I think this answers my question.

I am running Nessus from the target machine.

Hence, if I understand correctly, your point is that the information collected is "local".

And therefore if I was scanning the same machine remotely I would not be able to obtain such "local" information.

Correct?

But you can obtain some information about the remote system by sending packets over ICMP which doesn't use ports. Ping (ICMP ECHO) is one of the common ones, but there's also "timestamp" (if that's the right name), netmask, and more.

The Nessus reports says:

"By connecting to the remote host via SSH with the supplied credentials, this plugin enumerates MAC addresses."

Two questions:

First, as this scan is done on the "port" 0 presumably it can only be done when the scanned machine and the scanning machine are on the same LAN?

Second, I don't understand what the "supplied credentials" mean?  I did not supply any such credentials but the SSH tool obtained my internal IP address and MAC addresses.  How?

Thanks as always.