How do I use nmap to scan a range of IPv6 addresses?

  • I need to scan a range of IPv6 addresses with Nmap, but I'm not sure how to do this. When scanning for an IPv4 range, I would usually do this:

    nmap -sP 192.168.*.*
    

    or

    nmap -sP 192.168.1.*
    

    but if I need to do this with an IPv6, how would I do it?

    This question appears to be off-topic because it is about reading the help page of the tool you are using....

    It says right there.... the `-6` flag enables IPv6 scanning...

    I did google for it, but I couldn't understand the IPv6 method of doing it. Am I posting in the right place btw?

    -6 yes, I did that - nmap -sP -6 fe80::* - but unfortunately it gives out an error saying "Failed to resolve given IPv6 hostname/IP: fe80::*. Note that you can't use '/mask' or '[1-4,7,100-]' style ranges for IPv6. Error code -2: Name or service not known" - which I don't really get, so if anyone has an idea about this..?

    are you sure target has IPv6? And are you sure you can access target via IPv6 address? try pinging via IPv6 first

    I'm sure that I've got an IPv6 address: inet6 addr: fe80::20f:20ff:fe70:7c0e/64 - but on pinging this address now, it gives an error msg - ping: unknown host fe80::20f:20ff:fe7...

    The latest version of Nmap, version 6.40 released in July 2013, supports CIDR-style addressing for IPv6. For link-scope addresses (`fe80::/10`), you need to specify which interface to use with -e. Ping won't work, you need ping6 and need to specify the interface like so: `ping6 fe80::20f:20ff:fe70:7c0e%eth0`

    Thanks @bonsaiviking, `ping6 fe80::20f:20ff:fe70:7c0e%eth1` worked. Btw, the nmap scan: `nmap -sP -PN -6 fe80::` works but without -PN doesn't work due to the ping probes being blocked.

    @Bravo.I `-PN` or `-Pn` does not "work," it simply tells Nmap not to even try pinging, but to report the host as up. The combination `-sP -PN` (renamed to `-sn -Pn` means "Don't ping and don't scan," so you aren't sending any packets at all.

  • Ladadadada

    Ladadadada Correct answer

    7 years ago

    I would assume that the range you are trying to scan is fe80:0000:0000:0000:0000:0000:0000:0000/112 which is the last 16 bits (the last section) of the address. That range includes 65,536 IPv6 addresses, probably all of which are going to time out when scanned. It will probably take most of a day (86,400 seconds - close enough to 65,536 at one second per timeout on average) just to ping that range to determine whether the machines are up or not.

    But such small ranges are rarely seen. ISPs are often handing customers a /64 range each, (and it seems this is what you have) meaning that the customer has 18,446,744,073,709,551,616 individual IPv6 addresses. Scanning a single customer like this would take years.

    There are discovery protocols that exist to allow you to find the exact IP address you need rather than scanning the entire range and these might be a better place to start.


    There are some existing answers here that may still help: Which tool (apart from nmap) can I use to scan a range of IPv6 addresses?

    Thank you very much! I think I'll use your answer as my starting point.

    Great answer regarding the difficulty of scanning IPv6 ranges. Current version (6.40) of Nmap will let you specify them, though.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM

Tags used