Knowing the LAN IP behind any NAT is useful for silently launching behind-the-firewall cross-site attacks against the router web admin interface (or any other local services) via a browser, without having to blindly guess addresses. Someone posted a POC LAN scanner elsewhere in a thread here, too.
