7

I need to scan a range of IPv6 addresses with Nmap, but I'm not sure how to do this. When scanning for an IPv4 range, I would usually do this:

nmap -sP 192.168.*.*

or

nmap -sP 192.168.1.*

but if I need to do this with an IPv6, how would I do it?

Ihsan
  • 91
  • 1
  • 1
  • 4
  • This question appears to be off-topic because it is about reading the help page of the tool you are using.... –  Feb 14 '14 at 11:09
  • It says right there.... the `-6` flag enables IPv6 scanning... –  Feb 14 '14 at 11:09
  • I did google for it, but I couldn't understand the IPv6 method of doing it. Am I posting in the right place btw? – Ihsan Feb 14 '14 at 11:10
  • -6 yes, I did that - nmap -sP -6 fe80::* - but unfortunately it gives out an error saying "Failed to resolve given IPv6 hostname/IP: fe80::*. Note that you can't use '/mask' or '[1-4,7,100-]' style ranges for IPv6. Error code -2: Name or service not known" - which I don't really get, so if anyone has an idea about this..? – Ihsan Feb 14 '14 at 11:12
  • are you sure target has IPv6? And are you sure you can access target via IPv6 address? try pinging via IPv6 first – cengizUzun Feb 14 '14 at 11:26
  • I'm sure that I've got an IPv6 address: inet6 addr: fe80::20f:20ff:fe70:7c0e/64 - but on pinging this address now, it gives an error msg - ping: unknown host fe80::20f:20ff:fe7... – Ihsan Feb 14 '14 at 11:33
  • 2
    The [latest version of Nmap](http://nmap.org/download.html), version 6.40 released in July 2013, supports CIDR-style addressing for IPv6. For link-scope addresses (`fe80::/10`), you need to specify which interface to use with -e. Ping won't work, you need ping6 and need to specify the interface like so: `ping6 fe80::20f:20ff:fe70:7c0e%eth0` – bonsaiviking Feb 14 '14 at 14:58
  • Thanks @bonsaiviking, `ping6 fe80::20f:20ff:fe70:7c0e%eth1` worked. Btw, the nmap scan: `nmap -sP -PN -6 fe80::` works but without -PN doesn't work due to the ping probes being blocked. – Ihsan Feb 15 '14 at 04:51
  • @Bravo.I `-PN` or `-Pn` does not "work," it simply tells Nmap not to even try pinging, but to report the host as up. The combination `-sP -PN` (renamed to `-sn -Pn` means "Don't ping and don't scan," so you aren't sending any packets at all. – bonsaiviking Feb 15 '14 at 13:19

1 Answers1

12

I would assume that the range you are trying to scan is fe80:0000:0000:0000:0000:0000:0000:0000/112 which is the last 16 bits (the last section) of the address. That range includes 65,536 IPv6 addresses, probably all of which are going to time out when scanned. It will probably take most of a day (86,400 seconds - close enough to 65,536 at one second per timeout on average) just to ping that range to determine whether the machines are up or not.

But such small ranges are rarely seen. ISPs are often handing customers a /64 range each, (and it seems this is what you have) meaning that the customer has 18,446,744,073,709,551,616 individual IPv6 addresses. Scanning a single customer like this would take years.

There are discovery protocols that exist to allow you to find the exact IP address you need rather than scanning the entire range and these might be a better place to start.

There are some existing answers here that may still help: Which tool (apart from nmap) can I use to scan a range of IPv6 addresses?

Community
  • 1
Ladadadada
  • 5,163
  • 1
  • 24
  • 41
  • 1
    Great answer regarding the difficulty of scanning IPv6 ranges. Current version (6.40) of Nmap will let you specify them, though. – bonsaiviking Feb 14 '14 at 14:59