Scanning IPv6 Addresses (`-6` Option) with Nmap

This article explains how to use Nmap to scan IPv6 addresses, what makes scanning IPv6 different from IPv4, and how to effectively and responsibly use this capability in real-world scenarios.
by İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  6 minute read  

The internet is steadily evolving from IPv4 to IPv6, a shift driven by the exhaustion of IPv4 addresses and the need for more scalable and efficient networking. As more systems begin to use IPv6, it’s vital for network administrators, penetration testers, and cybersecurity professionals to understand how to scan and assess these networks. One of the most powerful tools in any network scanner’s toolkit is Nmap, and fortunately, Nmap includes robust support for IPv6 scanning using the -6 option.

In this comprehensive guide, we’ll explore how to use Nmap to scan IPv6 addresses, what makes scanning IPv6 different from IPv4, and how to effectively and responsibly use this capability in real-world scenarios.

Table of Contents

  1. Introduction to IPv6
  2. Why Scan IPv6 Networks?
  3. Nmap’s IPv6 Capabilities
  4. The -6 Option Explained
  5. Scanning IPv6 Hosts: Syntax and Examples
  6. Port Scanning over IPv6
  7. Host Discovery with IPv6
  8. Common Pitfalls and Limitations
  9. IPv6 and Firewalls
  10. Best Practices for IPv6 Scanning
  11. Conclusion

1. Introduction to IPv6

IPv6 (Internet Protocol version 6) is the successor to IPv4 and was introduced to deal with the limited number of IP addresses available under IPv4. IPv6 uses 128-bit addresses compared to IPv4’s 32-bit, allowing for approximately 340 undecillion (3.4×10³⁸) unique addresses. This astronomical number not only solves the address exhaustion issue but also introduces a fundamentally different network structure.

IPv6 addresses are written in hexadecimal and separated by colons, for example:

2001:0db8:85a3:0000:0000:8a2e:0370:7334

Or in shorthand:

2001:db8:85a3::8a2e:370:7334

2. Why Scan IPv6 Networks?

As IPv6 becomes more prevalent, scanning for active hosts, open ports, and services in IPv6 networks becomes a necessity. Cybersecurity assessments must not only include IPv4 but also account for IPv6 implementations that may be poorly configured or under-monitored.

Reasons to scan IPv6

  • Enumerate active devices in dual-stack environments
  • Identify exposed services running on IPv6 addresses
  • Detect inconsistent firewall policies
  • Audit IPv6 usage and configuration
  • Penetration testing of IPv6-enabled infrastructure

3. Nmap’s IPv6 Capabilities

Nmap supports most of its core features over IPv6, including:

  • Host discovery (ping scan)
  • TCP/UDP port scanning
  • OS detection (to a limited extent)
  • Script scanning (NSE)
  • Service version detection

However, some features such as traceroute and OS fingerprinting are less reliable over IPv6 due to protocol differences and implementation limitations.

To enable IPv6 scanning, Nmap provides the -6 switch.

4. The -6 Option Explained

The -6 flag tells Nmap to treat all IP addresses in the command line as IPv6 rather than IPv4. Without it, Nmap defaults to IPv4, even if you specify an IPv6 address (which may result in errors or unexpected behavior).

Basic syntax

nmap -6 <IPv6-address>

For example:

nmap -6 2606:4700:4700::1111

This command will scan the IPv6 address belonging to Cloudflare’s DNS service.

5. Scanning IPv6 Hosts: Syntax and Examples

Let’s walk through a few basic examples.

Example 1: Scan a single IPv6 address

nmap -6 2001:4860:4860::8888

This scans Google’s public DNS IPv6 address using default options.

Example 2: Scan specific ports

nmap -6 -p 53,80,443 2606:4700:4700::1001

Scans only ports 53, 80, and 443 on the specified host.

Example 3: Scan a hostname that resolves to an IPv6 address

nmap -6 ipv6.google.com

Nmap automatically resolves the AAAA (IPv6) record of the hostname and uses it for scanning.

6. Port Scanning over IPv6

Port scanning works largely the same as in IPv4. You can specify TCP, UDP, or SCTP scans. For example:

TCP SYN scan (default for root users)

sudo nmap -6 -sS 2001:db8::1

UDP scan

sudo nmap -6 -sU 2001:db8::1

TCP Connect scan (for non-root users)

nmap -6 -sT 2001:db8::1

Note that UDP scanning over IPv6 might be slower due to protocol constraints and limited responses.

7. Host Discovery with IPv6

Host discovery (i.e., ping scanning) can be tricky in IPv6. Unlike IPv4, you can’t simply scan a subnet like /24 due to the enormous number of possible addresses in a /64.

Basic ping scan

nmap -6 -sn 2001:db8::1

Scanning multiple known IPv6 addresses

nmap -6 -sn 2001:db8::1 2001:db8::2 2001:db8::3

DNS-based discovery

If your network uses DNS to map IPv6 addresses, you can leverage that instead of trying to guess IPv6 addresses manually.

8. Common Pitfalls and Limitations

Despite its power, Nmap’s IPv6 scanning comes with a few caveats:

  • You can’t scan a range like 2001:db8::1-100. Nmap does not support IPv6 address ranges due to the impractical size of IPv6 subnets.
  • CIDR notation (e.g., /64) is unsupported for full scanning. You must supply individual known addresses.
  • Some Nmap scripts (NSE) may not work correctly with IPv6, especially those relying on older protocols or IPv4 assumptions.
  • No broadcast or ARP in IPv6: This removes some common host discovery techniques available in IPv4 networks.

9. IPv6 and Firewalls

IPv6 includes its own firewall mechanism known as ip6tables on Linux systems. However, many networks still rely on traditional perimeter firewalls. One common mistake is securing IPv4 traffic while forgetting to implement equivalent IPv6 rules.

When scanning over IPv6, you might encounter the following:

  • ICMPv6 filtering that blocks pings or Neighbor Discovery Protocol (NDP)
  • IPv6-only services that are not available over IPv4
  • Dual-stack misconfigurations that leak information unintentionally

Always assess both stacks when auditing a network, and ensure that firewall policies match across both protocols.

10. Best Practices for IPv6 Scanning

To make the most of IPv6 scanning, consider the following best practices:

  1. Focus on known hosts: Use DNS records, logs, or router tables to gather potential IPv6 addresses before scanning.
  2. Use -Pn cautiously: Since ICMPv6 responses can be filtered, you may need to skip host discovery, but be aware this increases scan time.
  3. Test dual-stack services: Check if a service behaves differently over IPv6 than IPv4.
  4. Use verbose and debug flags: Add -v or -d to troubleshoot issues during IPv6 scanning.
  5. Scan with NSE scripts selectively: Only run scripts that are known to support IPv6 targets.

11. Conclusion

As IPv6 adoption continues to grow, the need to effectively scan and secure IPv6 networks becomes increasingly important. Nmap’s -6 option provides a flexible and powerful way to conduct IPv6 assessments, but it also introduces new challenges—particularly around host discovery and address enumeration.

When using Nmap for IPv6, it’s important to plan ahead: gather known addresses, leverage DNS when possible, and ensure your scanning methods are tailored for the intricacies of the protocol. While IPv6 scanning has its hurdles, it also offers an opportunity to find misconfigurations and vulnerabilities that may otherwise go unnoticed.

By understanding the strengths and limitations of Nmap’s IPv6 scanning features, cybersecurity professionals can stay ahead of the curve and help ensure that both IPv4 and IPv6 assets are properly secured.

Further Reading:


< Handling Massive Amounts of Scan Data with NmapNmap IPv4 vs. IPv6 Differences >