Although we haven't exhausted all if the IPv4 addresses as some people predicted, IPv6 addresses are becoming more common, and the Nmap development team has been working hard on improving its IPv6 support. All of the port scanning and host discovery techniques have been implemented already, and this makes Nmap essential when working with IPv6 networks.
This recipe describes how to scan an IPv6 address with Nmap.
Let's scan the IPv6 address representing the localhost (::1):
# nmap -6 ::1
The results look like a regular Nmap scan:
Nmap scan report for ip6-localhost (::1) Host is up (0.000018s latency). Not shown: 996 closed ports PORT STATE SERVICE VERSION 25/tcp open smtp Exim smtpd 80/tcp open http Apache httpd 2.2.16 ((Debian)) 631/tcp open ipp CUPS 1.4 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
The argument -6 tells Nmap to perform IPv6 scanning. You can basically set any other flag in combination with -6. It supports scanning techniques using raw packets, service detection, TCP port and ping scanning, and the Nmap scripting engine.
# nmap -6 -sT --traceroute ::1 Nmap scan report for ip6-localhost (::1) Host is up (0.00033s latency). Not shown: 996 closed ports PORT STATE SERVICE 25/tcp open smtp 80/tcp open http 631/tcp open ipp 8080/tcp open http-proxy
When performing IPv6 scanning, remember that you can use hostnames and IPv6 addresses as targets:
# nmap -6 scanmev6.nmap.org # nmap -6 2600:3c01::f03c:91ff:fe93:cd19
OS detection for IPv6 addresses works in a similar way to that for IPv4; probes are sent and matched against a fingerprint database. The probes sent are listed at http://nmap.org/book/osdetect-ipv6-methods.html. You can enable OS detection in IPv6 scans with the option -O:
#nmap -6 -O <target>
OS detection was added very recently, and you can help by sending fingerprints for the Nmap's database used for the detection algorithms. The procedure to submit new IPv6 fingerprints is described by Luis Martin Garcia at http://seclists.org/nmap-dev/2011/q3/21. Knowing how fast the Nmap team works, I know it will be ready soon.
- The Hiding our traffic with additional random data recipe
- The Forcing DNS resolution recipe
- The Excluding hosts from yours scans recipe
- The Gathering network information with broadcast scripts recipe
- The Scanning using specific port ranges recipe in Chapter 1, Nmap Fundamentals
- The Spoofing the origin IP of a port scan recipe in Chapter 3, Gathering Additional Host Information
- The Scanning IPv6 addresses recipe
- The Skipping tests to speed up long scans recipe in Chapter 7, Scanning Large Networks
- The Adjusting timing parameters recipe in Chapter 7, Scanning Large Networks
- The Selecting the correct timing template recipe in Chapter 7, Scanning Large Networks