How to Scan and Discover Active IPv6 Hosts on a Local Network: Tools and Code Examples


2 views

When working with IPv6 networks, traditional ARP scanning methods used in IPv4 don't apply. The IPv6 equivalent is Neighbor Discovery Protocol (NDP), which handles address resolution and neighbor tracking. The ip -6 neighbor show command displays the current neighbor cache, but won't actively discover new hosts.

Here are several reliable methods to find active IPv6 hosts:

1. Using NDP with ping6

First attempt to ping the IPv6 multicast address for all nodes (ff02::1):

ping6 -I eth0 ff02::1%eth0

Then check your neighbor cache:

ip -6 neighbor show

2. Scanning with nmap

Nmap has excellent IPv6 support. For a quick scan:

nmap -6 --script=targets-ipv6-multicast-echo --script-args=newtargets

Or for more comprehensive discovery:

nmap -6 -sn -PR fe80::/64

3. Using the alive6 tool from THC-IPv6

The THC-IPv6 toolkit provides specialized tools:

alive6 eth0

This will send neighbor solicitation requests to potential targets.

Here's a Python script using Scapy for IPv6 host discovery:

from scapy.all import *
import ipaddress

def ipv6_discovery(interface):
    # Create ICMPv6 Echo Request to multicast
    pkt = IPv6(dst="ff02::1", src="fe80::1")/ICMPv6EchoRequest()
    ans, unans = sr(pkt, iface=interface, timeout=2, verbose=0)
    
    # Display responding hosts
    for snd, rcv in ans:
        print(f"Active host found: {rcv[IPv6].src}")

ipv6_discovery("eth0")
  • Firewall blocking: Ensure ICMPv6 is allowed (unlike IPv4, ICMPv6 is essential for IPv6 operation)
  • Link-local scope: Remember to specify the interface (e.g., %eth0) for link-local addresses
  • DAD process: New hosts may not respond immediately due to Duplicate Address Detection

When I first ran ip -6 neighbor show and got empty results, I thought my IPv6 configuration was broken. But the reality is more nuanced - IPv6 neighbor discovery works differently than IPv4 ARP.

The neighbor cache only shows hosts you've recently communicated with. For a full scan, we need active discovery tools:

# Basic ping6 sweep (replace prefix with yours)
for i in {1..254}; do
  ping6 -c 1 2001:db8:1234:5678::${i} >/dev/null 2>&1 &
done
wait
ip -6 neighbor show | grep -v FAILED

Nmap provides comprehensive IPv6 scanning capabilities:

# Install nmap if needed
sudo apt install nmap

# Basic IPv6 ping scan
nmap -6 -sn fe80::/64

# Aggressive scan with OS detection
nmap -6 -A -T4 2001:db8::/64

# Service detection on specific hosts
nmap -6 -sV 2001:db8::1

For enterprise networks, consider these approaches:

# Multicast listener discovery
ping6 -I eth0 ff02::1

# Router advertisement capture
sudo tcpdump -i eth0 'icmp6 && ip6[40] == 134'

# Using scapy for custom discovery
from scapy.all import *
ans,unans=srp6(Ether(dst="ff:ff:ff:ff:ff:ff")/IPv6(dst="ff02::1")/ICMPv6EchoRequest(), timeout=2)
ans.show()

Use these commands to filter meaningful data:

# Extract active IPv6 addresses
ip -6 neighbor show | awk '/REACHABLE/ {print $1}'

# Combine with mac addresses
ip -6 neighbor show | grep -v FAILED | column -t

# Persistent logging
sudo tcpdump -i eth0 -w ipv6_discovery.pcap 'icmp6 || udp port 5353'

Remember that aggressive scanning may trigger security systems. Always:

  • Get proper authorization
  • Use appropriate timing (-T3 in nmap)
  • Consider passive monitoring instead