Its information gathering tools discovered a lot of pertinent data.
It correctly identified:
my eth0 MAC.
my wlan0 MAC.
my firewall rules (using iptables -L -n -v -t filter).
my operating system (using uname -a).
the name of my computer (but not the user name).
my programs listed as ESTABLISHED or LISTENING (using netstat)
"By connecting to the remote host via SSH with the supplied credentials, this plugin enumerates network interfaces configured with IPv4 addresses."
- 127.0.0.1 (on interface lo)
- 93.xxx.xxx.xxx (on interface ppp0) -
- 128.xxx.xxx.xxx (on interface wlan0)
Nessus gathers this information by sending the queries mentioned earlier (like uname -a) to port 0.
I first assumed that this would be an excellent tool to identify a person as it reveals their real IP (if they are 'hiding' behind a VPN) assuming that wlan0 is not a 192.168.x.x address).
However, I then thought that the 'real' IP address can only be gathered as I was scanning myself.
I need to test this but am I correct to think that if one outward-facing IP uses Nessus to scan a different outward-facing IP then they would not get the 'real' IP addresses like I did when I scanned myself.
I don't see, for example, how commands like uname and iptables can be run on remote machines across the Internet because, if so, the whole idea of VPNs is rendered pointless.