I think the clues to try this exploit are the OS and that port 445 is open.

That Metasploit link you posted shows the OS in the vulnernable OS list.  Plus, the RHOST lines defaults to 445 [SMB service port.  (side question:  Is this port configurable if you're setting up the network in a production environment?)].

I'm not a pentester by day though, just from what I've gathered in my own lab awhile back when messing with that exploit.

Whenever I see 445 open and the box is XP ish... I always look for 08-067.

To know how the scanner checks for this particular vulnerability you can look at the details of the vulnerability to learn how its triggered. In this case, I cheated and looked at smb-check-vulns.nse, which is an nmap script.

On line 130 of the script you see "---Check if the server is patched for MS08-067. This is done by calling NetPathCompare with an -- illegal string. If the string is accepted, then the server is vulnerable; if it's rejected, then -- you're safe (for now). "

In the code you see what he does to check for 08-067 and it begins to makes sense...

   -- Call netpathcanonicalize
--   status, netpathcanonicalize_result = msrpc.srvsvc_netpathcanonicalize(smbstate, host.ip, "\\a", "\\test\\")
   
   local path1 = "\\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\..\\n"
   local path2 = "\\n"
   status, netpathcompare_result = msrpc.srvsvc_netpathcompare(smbstate, host.ip, path1, path2, 1, 0)

   -- Stop the SMB session
   msrpc.stop_smb(smbstate)

   if(status == false) then
      if(string.find(netpathcompare_result, "UNKNOWN_57") ~= nil) then
         return true, INFECTED
      elseif(string.find(netpathcompare_result, "INVALID_NAME") ~= nil) then
         return true, PATCHED
      else
         return true, UNKNOWN, netpathcompare_result
      end
   end


   return true, VULNERABLE
end

Thank you for your answers, lorddicranius, Grendel and cd1zz!

@cd1zz: I have read the nse script and you are right, it is very obvious when you cheat!

From lorddicranius:

From cd1zz:

That's what I was thinking. If you don't have access to a vulnerability scanner, but only nmap without the .nse scripts, it's pretty tough to find an exploit unless you have already used it or seen it before.

In my original post, I mentioned:

So let's say MS08-067 is patched and you can't use Nessus, OpenVAS, or any nmap scripts. The approach has to be that, based on experience, you would do like Grendel mentioned and first look at the OS, the open ports and the services fingerprints.

But still, for example, it's one thing to see that Apache 1.2.3 is running an find an exploit for it (quite easy), but in my example above, you have to know about it...

So here's what I will do from now on: use these vulnerability scanners in the lab and whenever I can to find the vulnerabilities, but instead of just running the corresponding exploit and forget about it, I will take very, very good notes and add it to my toolbox.

Again, other than when the service is very well documented (like in my Apache 1.2.3 example), I am just afraid of the times when I won't be able to use a scanner. Getting something like this:


It will be tough to find the exploit I have never used...

I like the way you think H1t M0nk3y!  It's one thing to scan and assume but a whole other thing to test beyond that of the scanner.  Sometimes a scanner like Nessus may just guess at the vulnerability by factoring what it does know.  But other times it sends test data, I've personally seen this when I ran it against some public facing Web App servers.  I turned on the Web App Testing setting and then reviewed the results.  Basically it did the quick tests for XSS and SQLi where appropriate.  Not enough to break anything but, like nmap, just a quick sample request to see if the vulnerability exists.  Other results you see it makes its decision based on OS, service version etc.. 

That's what I have been doing more lately.

Yes, that's why very short contracts to perform pentests on many hosts requires vulnerability scanners. Otherwise, you need lots of experience (and there is always something new!) or lots of time...