Scan IPv6 Targets in Nmap

Introduction

In this lab, you will learn how to scan IPv6 targets using Nmap. The lab covers several key operations, including enabling an IPv6 scan on the loopback address, scanning a range of IPv6 addresses, running a TCP scan, adding verbosity to the scan, saving the scan results to a file, and reviewing the scan in the Xfce terminal. Each step provides practical commands and explanations to help you understand and perform IPv6 scans effectively.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL nmap(("Nmap")) -.-> nmap/NmapGroup(["Nmap"]) nmap/NmapGroup -.-> nmap/tcp_connect_scan("Basic TCP Connect Scan") nmap/NmapGroup -.-> nmap/output_formats("Output Formats") nmap/NmapGroup -.-> nmap/save_output("Save Output to File") nmap/NmapGroup -.-> nmap/host_discovery("Host Discovery Techniques") nmap/NmapGroup -.-> nmap/target_specification("Target Specification") nmap/NmapGroup -.-> nmap/verbosity("Verbosity Levels") nmap/NmapGroup -.-> nmap/service_detection("Service Detection") subgraph Lab Skills nmap/tcp_connect_scan -.-> lab-547110{{"Scan IPv6 Targets in Nmap"}} nmap/output_formats -.-> lab-547110{{"Scan IPv6 Targets in Nmap"}} nmap/save_output -.-> lab-547110{{"Scan IPv6 Targets in Nmap"}} nmap/host_discovery -.-> lab-547110{{"Scan IPv6 Targets in Nmap"}} nmap/target_specification -.-> lab-547110{{"Scan IPv6 Targets in Nmap"}} nmap/verbosity -.-> lab-547110{{"Scan IPv6 Targets in Nmap"}} nmap/service_detection -.-> lab-547110{{"Scan IPv6 Targets in Nmap"}} end

Enable IPv6 scan with nmap -6 ::1

In this step, we will perform a basic IPv6 scan using nmap. nmap is a powerful network scanning tool used to discover hosts and services on a computer network by sending packets and analyzing the responses. The -6 option tells nmap to perform an IPv6 scan. ::1 is the IPv6 loopback address, equivalent to 127.0.0.1 in IPv4. It refers to your own machine.

Before we begin, it's helpful to understand the IPv6 address ::1. In IPv6, addresses are 128 bits long, usually written as eight groups of four hexadecimal digits, separated by colons. The :: notation is used to represent a sequence of one or more groups of zeroed-out hexadecimal digits. So, ::1 is shorthand for 0000:0000:0000:0000:0000:0000:0000:0001.

Now, let's execute the scan.

Open your Xfce terminal.
Execute the following command:

sudo nmap -6 ::1

This command tells nmap to scan the IPv6 loopback address (::1). You'll need sudo because nmap often requires elevated privileges to send raw packets.

The output will look similar to this:

Starting Nmap 7.80 ( https://nmap.org )
Nmap scan report for ip6-localhost (::1)
Host is up (0.000073s latency).
Other addresses for ip6-localhost (not scanned): fe80::1%lo

Service detection performed. Please report any incorrect results.
Nmap done: 1 IP address (1 host up) scanned in 1.12 seconds

This output indicates that the host at ::1 is up and running. It also shows other addresses associated with ip6-localhost. The scan was completed successfully.

Scan IPv6 range with nmap -6 fe80::1-fe80::10

In this step, we will scan a range of IPv6 addresses using nmap. This is useful for discovering hosts within a specific network segment. The fe80::/10 IPv6 address range is used for link-local addresses, which are only valid within the local network segment. The addresses fe80::1 to fe80::10 represent a small range of these link-local addresses.

Open your Xfce terminal.
Execute the following command:

sudo nmap -6 fe80::1-fe80::10

This command tells nmap to scan the IPv6 address range from fe80::1 to fe80::10. nmap will send packets to each address in this range and analyze the responses to determine if a host is present and what services it is running.

The output will look similar to this (the exact output will depend on your network environment):

Starting Nmap 7.80 ( https://nmap.org )
Nmap scan report for fe80::1
Host is up (0.00012s latency).
Other addresses for fe80::1: <MAC ADDRESS>%eth0

Nmap scan report for fe80::2
Host is down.

Nmap scan report for fe80::3
Host is down.

Nmap scan report for fe80::4
Host is down.

Nmap scan report for fe80::5
Host is down.

Nmap scan report for fe80::6
Host is down.

Nmap scan report for fe80::7
Host is down.

Nmap scan report for fe80::8
Host is down.

Nmap scan report for fe80::9
Host is down.

Nmap scan report for fe80::10
Host is down.

Nmap done: 10 IP addresses (1 host up) scanned in 2.54 seconds

In this example, only fe80::1 is reported as being up. The other addresses in the range are reported as down, meaning nmap did not receive a response from those addresses. Note that the MAC address associated with fe80::1 is also displayed.

Run TCP scan with nmap -6 -sT ::1

In this step, we will perform a TCP scan on the IPv6 loopback address (::1) using nmap. The -sT option specifies a TCP connect scan. This type of scan completes the full TCP three-way handshake (SYN, SYN-ACK, ACK) to establish a connection with the target port. It's a reliable scan method, but it's also relatively slow and easily detectable.

Open your Xfce terminal.
Execute the following command:

sudo nmap -6 -sT ::1

This command tells nmap to perform a TCP connect scan (-sT) on the IPv6 loopback address (::1). sudo is required because nmap needs privileges to perform network scans.

The output will look similar to this:

Starting Nmap 7.80 ( https://nmap.org )
Nmap scan report for ip6-localhost (::1)
Host is up (0.000026s latency).
All 1000 scanned ports on ip6-localhost (::1) are closed

Nmap done: 1 IP address (1 host up) scanned in 1.23 seconds

This output indicates that the host at ::1 is up and running. It also shows that all 1000 scanned ports are closed. This is a common result if there are no services actively listening on those ports.

Add verbosity with nmap -6 -v ::1

In this step, we will add verbosity to the nmap scan. The -v option increases the verbosity level, providing more detailed information about the scan process. This can be helpful for understanding what nmap is doing and for troubleshooting any issues.

Open your Xfce terminal.
Execute the following command:

sudo nmap -6 -v ::1

This command tells nmap to perform a scan on the IPv6 loopback address (::1) with increased verbosity (-v).

The output will be more detailed than the previous scans. You'll see information about the scan phases, the probes being sent, and the responses received. For example:

Starting Nmap 7.80 ( https://nmap.org )
NSE: Loaded 0 scripts for scanning.
Initiating Ping Scan at 14:35
Scanning ::1 [4 ports]
Completed Ping Scan at 14:35, 0.00s elapsed (4 total ports)
Nmap scan report for ip6-localhost (::1)
Host is up (0.0000090s latency).
All 1000 scanned ports on ip6-localhost (::1) are closed

Nmap done: 1 IP address (1 host up) scanned in 1.12 seconds

The -v option can be used multiple times (e.g., -vv or -vvv) to further increase the verbosity level. Each additional -v provides even more detailed information.

Save IPv6 results with nmap -6 -oN ipv6.txt ::1

In this step, we will save the nmap scan results to a file. The -oN option specifies that the output should be saved in normal format to the specified file. This allows you to review the scan results later or use them for further analysis.

Open your Xfce terminal.
Execute the following command:

sudo nmap -6 -oN ipv6.txt ::1

This command tells nmap to perform a scan on the IPv6 loopback address (::1) and save the results in normal format to a file named ipv6.txt in your current directory (~/project).

After the scan completes, you can view the contents of the ipv6.txt file using a text editor or the cat command.

For example, to view the file content using cat:

cat ipv6.txt

The output will be the scan results in a human-readable format, similar to what you see on the terminal.

## Nmap 7.80 scan initiated Mon Oct 23 14:40:00 2023
Nmap scan report for ip6-localhost (::1)
Host is up (0.000011s latency).
All 1000 scanned ports on ip6-localhost (::1) are closed

## Nmap done at Mon Oct 23 14:40:01 2023 -- 1 IP address (1 host up) scanned in 1.11 seconds

Review IPv6 scan in Xfce terminal

In this step, we will review the IPv6 scan results that we saved in the ipv6.txt file in the previous step. This will allow you to understand the output format and identify key information about the scanned target.

Open your Xfce terminal.
Use the cat command to display the contents of the ipv6.txt file:

cat ipv6.txt

This command will print the contents of the file to your terminal. You should see output similar to this:

## Nmap 7.80 scan initiated Mon Oct 23 14:40:00 2023
Nmap scan report for ip6-localhost (::1)
Host is up (0.000011s latency).
All 1000 scanned ports on ip6-localhost (::1) are closed

## Nmap done at Mon Oct 23 14:40:01 2023 -- 1 IP address (1 host up) scanned in 1.11 seconds

Alternatively, you can use a text editor like nano to open and review the file:

nano ipv6.txt

This will open the ipv6.txt file in the nano editor, allowing you to scroll through the results and examine them more closely. Press Ctrl+X to exit nano.

The output provides information such as:

The nmap version used for the scan.
The target IP address (::1 in this case).
The hostname associated with the IP address (if available).
The status of the host (up or down).
A list of scanned ports and their status (open, closed, filtered, etc.).
The time the scan was initiated and completed.
The total time taken for the scan.

By reviewing the scan results, you can gain insights into the network configuration and security posture of the target system.

Summary

In this lab, participants learned to perform various IPv6 scans using Nmap. They started by enabling a basic IPv6 scan on the loopback address ::1 with the command sudo nmap -6 ::1, understanding the IPv6 address notation and the need for elevated privileges. They also learned to scan an IPv6 range from fe80::1 to fe80::10 to discover hosts within a specific network segment. Additionally, they explored running a TCP scan, adding verbosity to the scan, saving the results to a file, and reviewing the scan in the Xfce terminal.