Version: 1.0 Last Updated: 2025-10-29 Sprint: 5.1 Phase 4.3 Status: Production-Ready - 100% IPv6 Scanner Coverage
- Overview
- IPv6 Addressing Fundamentals
- CLI Flags Reference
- Scanner-Specific IPv6 Behavior
- Protocol Details
- Performance Characteristics
- Common Use Cases
- Troubleshooting
- Best Practices
- Advanced Topics
ProRT-IP WarScan provides comprehensive IPv6 support across all scanning modes, enabling network reconnaissance in dual-stack and IPv6-only environments. As of Sprint 5.1, all 6 scanner types support both IPv4 and IPv6 protocols.
- Adoption Growth: IPv6 deployment exceeded 40% globally as of 2024
- Dual-Stack Networks: Most modern networks support both IPv4 and IPv6
- IoT Explosion: Many IoT devices are IPv6-first or IPv6-only
- Security: IPv6-only attack surfaces are often overlooked in security assessments
- Future-Proofing: IPv4 address exhaustion makes IPv6 inevitable
- 100% Scanner Coverage: All 6 scan types (TCP Connect, SYN, UDP, Stealth, Discovery, Decoy) support IPv6
- Dual-Stack Resolution: Automatic hostname resolution to both IPv4 and IPv6
- Protocol Preference: User-controlled preference for IPv4 vs IPv6 with fallback
- CIDR Support: Full IPv6 CIDR notation (/64, /48, etc.) for subnet scanning
- ICMPv6 & NDP: Native support for IPv6 discovery protocols
- Performance Parity: IPv6 scans match or exceed IPv4 performance on modern hardware
| Sprint | Feature | Status |
|---|---|---|
| 4.21 | TCP Connect IPv6, packet building | ✅ Complete |
| 5.1 Phase 1 | TCP Connect + SYN IPv6 | ✅ Complete |
| 5.1 Phase 2 | UDP + Stealth IPv6 | ✅ Complete |
| 5.1 Phase 3 | Discovery + Decoy IPv6 | ✅ Complete |
| 5.1 Phase 4 | CLI flags, cross-scanner tests, docs | ✅ Complete |
Purpose: Internet-routable addresses (equivalent to public IPv4)
Format: 2001:db8:85a3::8a2e:370:7334
Examples:
# Scan a single global unicast address
prtip -sS -p 80,443 2001:4860:4860::8888
# Scan a global unicast /64 subnet
prtip -sS -p 80,443 2001:db8::/64Characteristics:
- Routable on the public internet
- Typically assigned by ISPs or regional registries
- First 48 bits: Global routing prefix
- Next 16 bits: Subnet ID
- Last 64 bits: Interface Identifier (IID)
Purpose: Communication within a single network segment (equivalent to APIPA in IPv4)
Format: fe80::1234:5678:90ab:cdef
Examples:
# Scan link-local address (requires interface specification on some platforms)
prtip -sS -p 80,443 fe80::1%eth0
# Scan link-local /64 subnet
prtip -sS -p 80,443 fe80::/64Characteristics:
- Not routable beyond local link
- Auto-configured on all IPv6 interfaces
- Always start with fe80::
- Require zone ID (%eth0, %en0) on multi-homed systems
- Common for device-to-device communication
Purpose: Private IPv6 networks (equivalent to RFC 1918 in IPv4)
Format: fd00:1234:5678:90ab::1
Examples:
# Scan ULA address
prtip -sS -p 22,80,443 fd12:3456:789a:1::1
# Scan ULA /48 organization network
prtip -sS -p 22,80,443 fd00:1234:5678::/48Characteristics:
- Not routable on public internet
- Unique within an organization
- fc00::/7 range (fd00::/8 for locally assigned)
- No central registry (like RFC 1918 addresses)
Purpose: One-to-many communication
Format: ff02::1 (all nodes), ff02::2 (all routers)
Examples:
# Scan all nodes on local link (may not work due to firewall rules)
prtip -sS -p 80,443 ff02::1
# NDP solicited-node multicast (used by Discovery Engine)
# Format: ff02::1:ffXX:XXXX (last 24 bits of target address)Characteristics:
- ff01:: = Interface-local
- ff02:: = Link-local
- ff05:: = Site-local
- ff0e:: = Global
- Used for NDP, router discovery, mDNS, etc.
Purpose: Local host testing (equivalent to 127.0.0.1 in IPv4)
Format: ::1
Examples:
# Scan IPv6 loopback (common for testing)
prtip -sS -p 80,443 ::1
# Test all scanners on loopback
prtip -sT -p 22,80,443,3306,5432 ::1
prtip -sS -p 22,80,443,3306,5432 ::1 --privileged
prtip -sU -p 53,161,123 ::1Characteristics:
- Single address (not a subnet like 127.0.0.0/8)
- Always refers to local system
- Cannot be assigned to physical interface
- Ideal for scanner validation tests
Purpose: Indicates absence of an address
Format: :: or 0:0:0:0:0:0:0:0
Characteristics:
- Used before address assignment
- Cannot be used as destination
- Equivalent to 0.0.0.0 in IPv4
2001:0db8:85a3:0000:0000:8a2e:0370:7334
2001:db8:85a3::8a2e:370:7334
Rules:
- Leading zeros in each 16-bit block can be omitted: 0db8 → db8
- Consecutive zero blocks can be replaced with :: (only once): 0000:0000 → ::
- Use lowercase hexadecimal (convention, not requirement)
# /64 subnet (most common, 18.4 quintillion addresses)
2001:db8::/64
# /48 site (65,536 subnets)
2001:db8:1234::/48
# /32 ISP allocation
2001:db8::/32
# /128 single host
2001:db8::1/128Common Prefix Lengths:
- /128: Single host
- /64: Single subnet (default for LANs)
- /56: Small organization (256 subnets)
- /48: Medium organization (65,536 subnets)
- /32: Large organization or ISP
ProRT-IP provides Nmap-compatible CLI flags for IPv6 protocol control.
Purpose: Prefer IPv6 addresses when resolving hostnames
Usage:
# Force IPv6 resolution for hostname
prtip -sS -6 -p 80,443 example.com
# Still accepts IPv6 literals
prtip -sS -6 -p 80,443 2001:db8::1
# Mixed targets (hostname resolved to IPv6, literal used as-is)
prtip -sS -6 -p 80,443 example.com 192.168.1.1 2001:db8::1Behavior:
- Hostnames resolve to AAAA records (IPv6)
- IPv4 literals remain IPv4
- IPv6 literals remain IPv6
- Falls back to IPv4 if no AAAA record exists
Nmap Compatibility: ✅ Equivalent to nmap -6
Purpose: Prefer IPv4 addresses when resolving hostnames
Usage:
# Force IPv4 resolution for hostname
prtip -sS -4 -p 80,443 example.com
# Still accepts IPv4 literals
prtip -sS -4 -p 80,443 192.168.1.1
# Mixed targets (hostname resolved to IPv4, literal used as-is)
prtip -sS -4 -p 80,443 example.com 192.168.1.1 2001:db8::1Behavior:
- Hostnames resolve to A records (IPv4)
- IPv4 literals remain IPv4
- IPv6 literals remain IPv6
- Falls back to IPv6 if no A record exists
Nmap Compatibility: ✅ Equivalent to nmap -4
Purpose: Use IPv6 when available, fall back to IPv4
Usage:
# Prefer IPv6, accept IPv4 fallback
prtip -sS --prefer-ipv6 -p 80,443 dual-stack.example.com
# Useful for dual-stack networks
prtip -sS --prefer-ipv6 -p 80,443 192.168.1.0/24 2001:db8::/64Behavior:
- Try AAAA record first
- Fall back to A record if AAAA not found
- IPv4/IPv6 literals always work
- Graceful degradation for mixed environments
Use Case: Testing IPv6 connectivity before committing to IPv6-only
Purpose: Use IPv4 when available, fall back to IPv6
Usage:
# Prefer IPv4, accept IPv6 fallback
prtip -sS --prefer-ipv4 -p 80,443 dual-stack.example.com
# Default behavior for legacy networks
prtip -sS --prefer-ipv4 -p 80,443 10.0.0.0/8 fd00::/48Behavior:
- Try A record first
- Fall back to AAAA record if A not found
- IPv4/IPv6 literals always work
- Legacy-friendly default
Use Case: Gradual IPv6 migration, prefer tested IPv4 infrastructure
Purpose: Reject all IPv4 addresses, IPv6 only
Usage:
# IPv6-only scan (error on IPv4 targets)
prtip -sS --ipv6-only -p 80,443 2001:db8::/64
# Error: IPv4 address provided in IPv6-only mode
prtip -sS --ipv6-only -p 80,443 192.168.1.1
# Error: Target 192.168.1.1 is IPv4, but --ipv6-only specifiedBehavior:
- IPv4 literals cause immediate error
- Hostnames must resolve to AAAA records
- A-only hostnames cause error
- Enforces pure IPv6 scanning
Use Case: IPv6-only networks, security assessments requiring IPv6 purity
Purpose: Reject all IPv6 addresses, IPv4 only
Usage:
# IPv4-only scan (error on IPv6 targets)
prtip -sS --ipv4-only -p 80,443 192.168.1.0/24
# Error: IPv6 address provided in IPv4-only mode
prtip -sS --ipv4-only -p 80,443 2001:db8::1
# Error: Target 2001:db8::1 is IPv6, but --ipv4-only specifiedBehavior:
- IPv6 literals cause immediate error
- Hostnames must resolve to A records
- AAAA-only hostnames cause error
- Enforces pure IPv4 scanning
Use Case: Legacy networks, IPv4-only security assessments
Conflicting Flags (Error):
# Error: Cannot specify both -6 and -4
prtip -sS -6 -4 -p 80,443 example.com
# Error: Cannot specify both --ipv6-only and --prefer-ipv4
prtip -sS --ipv6-only --prefer-ipv4 -p 80,443 example.comValid Combinations:
# OK: -6 is just a preference, compatible with preference flags
prtip -sS -6 --prefer-ipv6 -p 80,443 example.com
# OK: Multiple targets, single protocol preference
prtip -sS -6 -p 80,443 host1.example.com host2.example.comIPv6 Support: ✅ Full dual-stack (Sprint 5.1 Phase 1.1-1.5)
Description: Completes full TCP three-way handshake using standard OS TCP stack.
Usage:
# IPv6 single host
prtip -sT -p 80,443 2001:db8::1
# IPv6 CIDR
prtip -sT -p 22,80,443 2001:db8::/64
# Dual-stack target list
prtip -sT -p 80,443 192.168.1.1 2001:db8::1 example.comBehavior:
- Uses kernel TCP stack (no raw sockets required)
- No privilege escalation needed
- Automatic IPv4/IPv6 socket creation
- RST sent on port closure (logged by target)
- Full connection establishment
Performance:
- IPv6 overhead: <5% vs IPv4 on modern hardware
- Loopback: ~5ms for 6 ports
- LAN: ~20-50ms depending on RTT
- WAN: Comparable to IPv4 (dominated by RTT)
Port States:
- Open: SYN → SYN+ACK → ACK completed
- Closed: SYN → RST received
- Filtered: SYN timed out (no response)
Example Output:
Scanning 2001:db8::1...
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
3306/tcp closed mysql
8080/tcp filtered http-alt
IPv6 Support: ✅ Full dual-stack (Sprint 5.1 Phase 1.6)
Description: Sends TCP SYN packets without completing handshake (half-open scanning).
Privileges: Requires root/administrator (raw socket access)
Usage:
# IPv6 SYN scan (requires sudo)
sudo prtip -sS -p 80,443 2001:db8::1
# IPv6 subnet scan
sudo prtip -sS -p 1-1000 2001:db8::/64
# Dual-stack with IPv6 preference
sudo prtip -sS -6 -p 80,443 example.comBehavior:
- Sends SYN, waits for SYN+ACK or RST
- Sends RST to abort connection (no full handshake)
- Stealthier than Connect scan (less logging)
- Raw socket packet crafting required
- Automatic checksum calculation for IPv6 pseudo-header
Performance:
- IPv6 overhead: <10% vs IPv4 (raw socket overhead)
- Loopback: ~10ms for 6 ports
- LAN: ~15-40ms
- WAN: Comparable to TCP Connect
Port States:
- Open: SYN → SYN+ACK received
- Closed: SYN → RST received
- Filtered: SYN timed out (no response, or ICMP unreachable)
IPv6 Considerations:
- IPv6 header: 40 bytes (vs 20 bytes IPv4)
- TCP pseudo-header checksum includes IPv6 addresses
- Extension headers supported but rare in practice
- No fragmentation by default (Path MTU Discovery required)
Example Output:
Scanning 2001:db8::1 (SYN scan)...
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
3000/tcp filtered node
8080/tcp closed http-proxy
IPv6 Support: ✅ Full dual-stack (Sprint 5.1 Phase 2.1-2.3)
Description: Sends UDP datagrams with protocol-specific payloads, interprets responses.
Privileges: Requires root/administrator (raw socket for ICMP reception)
Usage:
# IPv6 UDP scan (common services)
sudo prtip -sU -p 53,123,161 2001:db8::1
# IPv6 subnet UDP scan (DNS servers)
sudo prtip -sU -p 53 2001:db8::/64
# Dual-stack DNS scan
sudo prtip -sU -p 53 192.168.1.0/24 2001:db8::/64Behavior:
- Sends UDP datagrams to target ports
- Waits for UDP response or ICMPv6 Port Unreachable
- Protocol-specific payloads for common services (DNS, SNMP, NTP, etc.)
- Interprets ICMPv6 Type 1 Code 4 (Port Unreachable) as "closed"
- Timeout indicates "open|filtered" (ambiguous state)
Performance:
- Slower than TCP: 10-100x due to stateless nature
- IPv6 overhead: <5% vs IPv4 (same protocol logic)
- Timeout-dependent: Recommended T4 or T5 timing
- Parallelism helps: Use high --max-concurrent values
Protocol Payloads (IPv6-compatible):
- DNS (53): Query for version.bind TXT record
- SNMP (161): GetRequest for sysDescr.0
- NTP (123): Mode 3 client request
- mDNS (5353): PTR query for _services._dns-sd._udp.local
- DHCPv6 (547): SOLICIT message
- NetBIOS (137): Name query (IPv4 only, legacy)
Port States:
- Open: UDP response received
- Closed: ICMPv6 Port Unreachable received
- Open|Filtered: No response (timeout)
- Filtered: ICMPv6 Administratively Prohibited
ICMPv6 Response Handling:
- Type 1, Code 4: Port Unreachable (closed)
- Type 1, Code 1: Communication Administratively Prohibited (filtered)
- Type 1, Code 3: Address Unreachable (host down)
- Type 3: Time Exceeded (filtered, deep firewall)
Example Output:
Scanning 2001:db8::1 (UDP scan)...
PORT STATE SERVICE
53/udp open dns
123/udp open|filtered ntp
161/udp open snmp
162/udp open|filtered snmptrap
514/udp closed syslog
IPv6 Support: ✅ Full dual-stack (Sprint 5.1 Phase 2.4-2.7)
Description: Send TCP packets with unusual flag combinations to evade firewalls.
Privileges: Requires root/administrator (raw socket access)
Usage:
# IPv6 FIN scan
sudo prtip -sF -p 80,443 2001:db8::1
# IPv6 subnet FIN scan
sudo prtip -sF -p 1-1000 2001:db8::/64Behavior:
- Sends TCP packet with FIN flag only
- Open ports: No response (FIN ignored)
- Closed ports: RST response
- Evades simple stateful firewalls
Usage:
# IPv6 NULL scan
sudo prtip -sN -p 80,443 2001:db8::1Behavior:
- Sends TCP packet with no flags set
- Open ports: No response (NULL packet ignored)
- Closed ports: RST response
- More stealthy than FIN scan
Usage:
# IPv6 Xmas scan
sudo prtip -sX -p 80,443 2001:db8::1Behavior:
- Sends TCP packet with FIN+PSH+URG flags ("lit up like a Christmas tree")
- Open ports: No response
- Closed ports: RST response
- Signature is easily detectable by modern IDS
Usage:
# IPv6 ACK scan (firewall detection)
sudo prtip -sA -p 80,443 2001:db8::1Behavior:
- Sends TCP packet with ACK flag only
- Purpose: Firewall detection, not port state
- Unfiltered: RST response (regardless of port state)
- Filtered: No response or ICMP unreachable
Port States (Stealth Scans):
- Open|Filtered: No response (timeout)
- Closed: RST received
- Filtered: ICMP unreachable or persistent timeout
IPv6 Considerations:
- IPv6 firewalls may behave differently than IPv4
- Stateful firewalls often block these scans
- Windows systems don't follow RFC 793 for closed ports (send RST for NULL/FIN/Xmas)
- Many modern firewalls detect and block stealth scans
Example Output:
Scanning 2001:db8::1 (FIN scan)...
PORT STATE SERVICE
22/tcp open|filtered ssh
80/tcp open|filtered http
443/tcp closed https
3306/tcp open|filtered mysql
IPv6 Support: ✅ Full ICMPv6 & NDP (Sprint 5.1 Phase 3.1-3.2)
Description: Host discovery using ICMP Echo and NDP Neighbor Discovery.
Privileges: Requires root/administrator (raw ICMP socket)
Usage:
# IPv6 host discovery (ICMP Echo + NDP)
sudo prtip --discovery 2001:db8::/64
# IPv4 + IPv6 dual-stack discovery
sudo prtip --discovery 192.168.1.0/24 2001:db8::/64
# Discovery with port scan on live hosts
sudo prtip --discovery --discovery-then-scan -p 80,443 2001:db8::/64Protocols:
- Type 128: Echo Request (IPv6 equivalent of ICMP Type 8)
- Type 129: Echo Reply (IPv6 equivalent of ICMP Type 0)
- Purpose: Basic host liveness check
- Behavior: Target responds with Echo Reply if reachable
- Type 135: Neighbor Solicitation (NS)
- Type 136: Neighbor Advertisement (NA)
- Purpose: Link-layer address resolution + host discovery
- Target: Solicited-node multicast address (ff02::1:ffXX:XXXX)
- Efficiency: More reliable than Echo on local links
Solicited-Node Multicast Addressing:
Target Address: 2001:db8::1234:5678
Solicited-Node: ff02::1:ff34:5678
^^^^^^^^
Last 24 bits of target address
Performance:
- ICMPv6 Echo: ~20-50ms per host
- NDP: ~10-30ms on local link (faster than Echo)
- Combined: ~50-100ms per host (both protocols)
- Parallelism: Scales linearly with CPU cores
Discovery Strategies:
- ICMPv6 Echo: Works across routers, blocked by some firewalls
- NDP: Local link only, rarely blocked (required for IPv6)
- Combined: Use both for maximum coverage
Example Output:
Running IPv6 discovery on 2001:db8::/64...
Host: 2001:db8::1 (ICMP Echo Reply)
Host: 2001:db8::2 (NDP Neighbor Advertisement)
Host: 2001:db8::10 (ICMP Echo Reply)
Host: 2001:db8::20 (NDP Neighbor Advertisement)
Discovery complete: 4 hosts alive
IPv6 Support: ✅ Full dual-stack with /64-aware generation (Sprint 5.1 Phase 3.3-3.4)
Description: Obscure scan source by generating traffic from multiple decoy IPs.
Privileges: Requires root/administrator (source address spoofing)
Usage:
# IPv6 decoy scan with 5 random decoys
sudo prtip -sS -D RND:5 -p 80,443 2001:db8::1
# IPv6 decoy scan with manual decoy list
sudo prtip -sS -D 2001:db8::10,2001:db8::20,ME,2001:db8::30 -p 80,443 2001:db8::1
# IPv6 subnet scan with decoys
sudo prtip -sS -D RND:10 -p 80,443 2001:db8::/64Behavior:
- Sends scan packets from real IP + multiple decoy IPs
- Decoy IPs are spoofed (source address manipulation)
- Target sees traffic from N+1 sources
- Obscures true source in logs
- ME keyword specifies position of real IP in decoy list
IPv6 Decoy Generation:
- Random /64 IIDs: Generates random Interface Identifiers within target's /64 subnet
- Subnet-Aware: Uses target's network prefix + random 64-bit IID
- Reserved Address Filtering: Avoids 7 reserved IPv6 ranges:
- Loopback (::1/128)
- Multicast (ff00::/8)
- Link-local (fe80::/10)
- ULA (fc00::/7)
- Documentation (2001:db8::/32)
- IPv4-mapped (::ffff:0:0/96)
- Unspecified (::/128)
IPv6 /64 Rationale:
- Most IPv6 subnets are /64 (65,536 networks, 18.4 quintillion hosts)
- Decoys within same /64 are more believable (same network segment)
- SLAAC (Stateless Address Autoconfiguration) uses /64 boundaries
- NDP operates within /64 link-local scope
Decoy Strategies:
- RND:N: N random decoys (recommended: 5-10)
- Manual List: Specify exact decoy IPs
- ME Position: Beginning (detectable), Middle (recommended), End (detectable)
Performance:
- Overhead: 2-5% per decoy (packet crafting + transmission)
- 5 decoys: ~10-25% total overhead
- 10 decoys: ~20-50% total overhead
- Parallelism recommended for large decoy counts
Example Output:
Scanning 2001:db8::1 with 5 decoys...
Decoys: 2001:db8::a3f1:2b4c:9d8e:7f61
2001:db8::5e92:8c3a:4b7d:1f05
2001:db8::c7b4:6e1f:8a92:3d54 (REAL)
2001:db8::2d8f:9b6c:7e4a:5c91
2001:db8::8a1e:3c5b:6d7f:9e20
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Limitations:
- Egress filtering may block spoofed packets
- Some networks drop packets with invalid source IPs
- Return packets only reach real IP (decoys don't receive responses)
- Modern IDS can correlate timing patterns
ProRT-IP implements 5 core ICMPv6 message types for scanning:
| Type | Name | Purpose | Scanner |
|---|---|---|---|
| 1 | Destination Unreachable | Port closed indication | UDP, Stealth |
| 3 | Time Exceeded | Firewall/router drop | All |
| 128 | Echo Request | Host discovery | Discovery |
| 129 | Echo Reply | Host alive | Discovery |
| 135 | Neighbor Solicitation | NDP resolution | Discovery |
| 136 | Neighbor Advertisement | NDP response | Discovery |
Codes:
- 0: No route to destination
- 1: Communication administratively prohibited (filtered)
- 3: Address unreachable (host down)
- 4: Port unreachable (closed port)
Usage in ProRT-IP:
// UDP scanner interprets Code 4 as "closed"
if icmpv6_type == 1 && icmpv6_code == 4 {
port_state = PortState::Closed;
}
// Code 1 indicates firewall filtering
if icmpv6_type == 1 && icmpv6_code == 1 {
port_state = PortState::Filtered;
}Format:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Code | Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identifier | Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data ...
+-+-+-+-+-+-
ProRT-IP Implementation:
- Identifier: Random 16-bit value (scan correlation)
- Sequence Number: Incremented per request
- Data: Timestamp for RTT measurement
- Checksum: ICMPv6 pseudo-header (includes IPv6 src/dst)
Solicited-Node Multicast:
Target: 2001:db8::1234:5678:9abc:def0
Multicast: ff02::1:ff9a:bcde:f0
ProRT-IP NDP Flow:
- Build NS packet with target IPv6 address
- Calculate solicited-node multicast address (ff02::1:ffXX:XXXX)
- Send to multicast address (all nodes on link process)
- Wait for NA response with target's link-layer address
- Mark host as alive if NA received
Performance:
- NDP is faster than Echo on local links (~10-30ms vs 20-50ms)
- Bypasses ICMP filtering (NDP required for IPv6 operation)
- Only works within L2 segment (not routable)
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ +
| |
+ Source Address +
| |
+ +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ +
| |
+ Destination Address +
| |
+ +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TCP Length | Zeros |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Key Differences from IPv4:
- IPv6 addresses: 128 bits (16 bytes) each
- No IP header checksum (delegated to link layer)
- TCP checksum includes full IPv6 addresses
- Pseudo-header is 40 bytes (vs 12 bytes IPv4)
ProRT-IP Implementation:
fn calculate_tcp_checksum_ipv6(
src: Ipv6Addr,
dst: Ipv6Addr,
tcp_segment: &[u8],
) -> u16 {
let mut sum: u32 = 0;
// Add source address (16 bytes)
for chunk in src.octets().chunks(2) {
sum += u16::from_be_bytes([chunk[0], chunk[1]]) as u32;
}
// Add destination address (16 bytes)
for chunk in dst.octets().chunks(2) {
sum += u16::from_be_bytes([chunk[0], chunk[1]]) as u32;
}
// Add TCP length (32-bit)
sum += (tcp_segment.len() as u32) >> 16;
sum += (tcp_segment.len() as u32) & 0xFFFF;
// Add protocol (TCP = 6)
sum += 6;
// Add TCP segment
for chunk in tcp_segment.chunks(2) {
let word = if chunk.len() == 2 {
u16::from_be_bytes([chunk[0], chunk[1]])
} else {
u16::from_be_bytes([chunk[0], 0])
};
sum += word as u32;
}
// Fold 32-bit sum to 16 bits
while (sum >> 16) > 0 {
sum = (sum & 0xFFFF) + (sum >> 16);
}
!sum as u16
}Checksum Calculation:
- Same pseudo-header format as TCP
- UDP checksum is mandatory in IPv6 (optional in IPv4)
- Zero checksum is invalid in IPv6 UDP
ProRT-IP UDP Implementation:
- Builds IPv6 UDP packets with correct checksums
- Protocol-specific payloads for common services
- Interprets ICMPv6 Port Unreachable as "closed"
ProRT-IP uses runtime dispatch for IPv4/IPv6:
pub async fn send_tcp_syn(
socket: &RawSocket,
target: SocketAddr,
port: u16,
) -> Result<()> {
match target.ip() {
IpAddr::V4(ipv4) => {
let packet = build_tcp_syn_ipv4(ipv4, port)?;
socket.send(&packet).await?;
}
IpAddr::V6(ipv6) => {
let packet = build_tcp_syn_ipv6(ipv6, port)?;
socket.send(&packet).await?;
}
}
Ok(())
}Benefits:
- Zero code duplication
- Type safety (IpAddr enum)
- Automatic protocol selection
- Consistent API across IPv4/IPv6
| Metric | IPv4 | IPv6 | Overhead |
|---|---|---|---|
| Header Size | 20 bytes | 40 bytes | +100% |
| Checksum Calculation | IP + TCP/UDP | TCP/UDP only | -50% CPU |
| Address Resolution | ARP (broadcast) | NDP (multicast) | -90% traffic |
| Loopback Latency | ~5ms | ~5-7ms | +0-40% |
| LAN Latency | ~20ms | ~20-25ms | +0-25% |
| WAN Latency | ~50ms | ~50-60ms | +0-20% |
| Throughput (1Gbps) | 95 Mbps | 92 Mbps | -3% |
Conclusion: IPv6 overhead is negligible on modern hardware (<5-10% in most scenarios).
Problem: Traditional host discovery scales poorly on /64 (18.4 quintillion addresses)
ProRT-IP Solution:
- Targeted Scanning: Only scan known hosts or ranges
- NDP Multicast: Solicited-node multicast is O(1) per host
- Parallel Discovery: Multi-threaded NDP for 100+ hosts/second
Comparison:
# IPv4 /24 subnet scan (256 hosts, 2 seconds)
prtip --discovery 192.168.1.0/24
# IPv6 /64 targeted scan (10 known hosts, 1 second)
prtip --discovery 2001:db8::1,2001:db8::2,...,2001:db8::10
# IPv6 /64 full scan (18.4 quintillion hosts, NEVER completes)
# DO NOT RUN: prtip --discovery 2001:db8::/64Best Practices:
- Use host lists for /64 scans
- Rely on NDP for local discovery
- Combine with DHCPv6 logs or router NDP cache
| Scan Type | IPv4 Default | IPv6 Recommended | Reason |
|---|---|---|---|
| TCP Connect | 2000ms | 2500ms | Slightly higher RTT |
| SYN Scan | 1000ms | 1500ms | ICMPv6 processing delay |
| UDP Scan | 3000ms | 3500ms | ICMPv6 unreachable path |
| Discovery | 500ms | 750ms | NDP multicast delay |
| Stealth | 2000ms | 2500ms | Firewall processing |
Timing Template Adjustments:
# T3 (Normal) - Increased timeouts for IPv6
prtip -sS -T3 -p 80,443 2001:db8::1 # 2.5s timeout
# T4 (Aggressive) - Default IPv4 timeouts OK
prtip -sS -T4 -p 80,443 2001:db8::1 # 1.5s timeout
# T5 (Insane) - Minimal timeout, IPv6 may miss responses
prtip -sS -T5 -p 80,443 2001:db8::1 # 500ms timeout (risky)Purpose: Local service enumeration, scanner testing
Usage:
# TCP Connect scan (no privileges)
prtip -sT -p 22,80,443,3306,5432 ::1
# SYN scan (requires root)
sudo prtip -sS -p 1-1000 ::1
# Service detection
prtip -sT -sV -p 80,443 ::1Expected Output:
Scanning ::1 (IPv6 loopback)...
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1
80/tcp open http nginx 1.18.0
443/tcp open https nginx 1.18.0 (TLS 1.3)
3306/tcp open mysql MySQL 8.0.30
5432/tcp open postgres PostgreSQL 14.5
Purpose: Local network device discovery
Usage:
# Link-local with interface specification (macOS/Linux)
prtip -sS -p 80,443 fe80::1%eth0
# Link-local subnet scan (requires zone ID)
prtip -sS -p 80,443 fe80::/64%eth0
# Discovery on link-local (NDP preferred)
sudo prtip --discovery fe80::/64%eth0Platform-Specific:
- Linux:
%eth0,%ens33,%wlan0 - macOS:
%en0,%en1,%bridge0 - Windows:
%12,%3(interface index) - FreeBSD:
%em0,%re0
Example Output:
Scanning fe80::/64%eth0 (link-local discovery)...
Host: fe80::1%eth0 (Router)
Host: fe80::a23f:8e1c:7d4b:92e0%eth0 (NDP Advertisement)
Host: fe80::5e8a:3c9f:1b7d:4e60%eth0 (NDP Advertisement)
3 hosts alive on link-local segment
Purpose: Internet-facing service enumeration
Usage:
# Single global unicast host
prtip -sS -p 80,443 2001:4860:4860::8888
# Multiple hosts
prtip -sS -p 80,443 2001:db8::1 2606:2800:220:1:248:1893:25c8:1946
# With service detection
prtip -sS -sV -p 80,443 2001:4860:4860::8888Example Output:
Scanning 2001:4860:4860::8888 (Google Public DNS)...
PORT STATE SERVICE VERSION
53/tcp open dns Google DNS
443/tcp open https Google DNS over HTTPS (DoH)
Purpose: Subnet enumeration (targeted, not full /64 sweep)
Usage:
# Scan first 256 addresses in /64 subnet
prtip -sS -p 80,443 2001:db8::0/120 # /120 = 256 addresses
# Scan specific host range
prtip -sS -p 80,443 2001:db8::1-2001:db8::ff
# Discovery then port scan (efficient)
sudo prtip --discovery --discovery-then-scan -p 80,443 2001:db8::0/120CIDR Guidelines:
- /120: 256 hosts (manageable)
- /112: 65,536 hosts (slow but feasible)
- /64: 18.4 quintillion hosts (NEVER full scan)
Example Output:
Scanning 2001:db8::0/120 (256 hosts)...
PORT STATE SERVICE
80/tcp open http (10 hosts)
443/tcp open https (8 hosts)
22/tcp open ssh (15 hosts)
25 hosts responsive, 40 open ports found
Purpose: Test both IPv4 and IPv6 connectivity
Usage:
# Prefer IPv6, fallback to IPv4
prtip -sS --prefer-ipv6 -p 80,443 example.com
# Prefer IPv4, fallback to IPv6
prtip -sS --prefer-ipv4 -p 80,443 example.com
# Scan both protocols explicitly
prtip -sS -p 80,443 example.com 2606:2800:220:1:248:1893:25c8:1946Example Output:
Resolving example.com (prefer IPv6)...
IPv6: 2606:2800:220:1:248:1893:25c8:1946
IPv4: 93.184.216.34
Using: 2606:2800:220:1:248:1893:25c8:1946 (IPv6)
Scanning 2606:2800:220:1:248:1893:25c8:1946...
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Purpose: Heterogeneous network scanning
Usage:
# Mixed targets (auto-detect protocol)
prtip -sS -p 80,443 \
192.168.1.1 \
2001:db8::1 \
example.com \
10.0.0.0/24 \
2001:db8::/120
# With protocol preference for hostnames
prtip -sS -6 -p 80,443 \
192.168.1.1 \ # IPv4 literal (unchanged)
example.com \ # Resolves to IPv6
2001:db8::1 # IPv6 literal (unchanged)Example Output:
Scanning 3 targets (mixed IPv4/IPv6)...
192.168.1.1 (IPv4):
80/tcp open http
443/tcp open https
2001:db8::1 (IPv6):
22/tcp open ssh
80/tcp open http
example.com → 2606:2800:220:1:248:1893:25c8:1946 (IPv6):
80/tcp open http
443/tcp open https
Summary: 3 hosts, 7 open ports
Purpose: Identify services and versions on IPv6 hosts
Usage:
# Service detection on IPv6
prtip -sT -sV -p 22,80,443 2001:db8::1
# Aggressive scan (OS + Service + Scripts)
prtip -sS -A -p- 2001:db8::1
# High intensity service detection
prtip -sT -sV --version-intensity 9 -p 80,443 2001:db8::1Example Output:
Scanning 2001:db8::1 with service detection...
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.0p1 Ubuntu 1ubuntu1 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.54 ((Ubuntu))
443/tcp open https Apache httpd 2.4.54 ((Ubuntu)) TLS 1.3
3000/tcp open node Node.js Express 4.18.2
5432/tcp open postgres PostgreSQL 15.1
OS Detection: Linux 5.15-6.0
Purpose: Evade firewalls and IDS
Usage:
# FIN scan with timing control
sudo prtip -sF -T2 -p 80,443 2001:db8::1
# NULL scan with decoys
sudo prtip -sN -D RND:5 -p 80,443 2001:db8::1
# Xmas scan with fragmentation (Phase 5 planned)
# sudo prtip -sX -f --mtu 1280 -p 80,443 2001:db8::1Example Output:
Scanning 2001:db8::1 (FIN scan, stealth mode)...
PORT STATE SERVICE
22/tcp open|filtered ssh
80/tcp open|filtered http
443/tcp closed https
3000/tcp open|filtered node
8080/tcp closed http-proxy
Purpose: Obscure scan origin
Usage:
# Random decoys in target's /64 subnet
sudo prtip -sS -D RND:10 -p 80,443 2001:db8::1
# Manual decoy list with ME positioning
sudo prtip -sS -D 2001:db8::10,2001:db8::20,ME,2001:db8::30 \
-p 80,443 2001:db8::1Example Output:
Scanning 2001:db8::1 with 10 decoys...
Decoys (in /64 subnet):
2001:db8::a3f1:2b4c:9d8e:7f61
2001:db8::5e92:8c3a:4b7d:1f05
2001:db8::c7b4:6e1f:8a92:3d54
2001:db8::9f2e:7a5c:4b8d:1e03
2001:db8::4d7f:8e1a:6c9b:2f50 (ME - REAL IP)
2001:db8::2d8f:9b6c:7e4a:5c91
2001:db8::8a1e:3c5b:6d7f:9e20
2001:db8::6b9f:2e7d:5a8c:1f04
2001:db8::1c5e:9a3f:8d7b:4e60
2001:db8::7e4a:3b9c:6d8f:2e10
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Purpose: Resolve dual-stack hostnames to IPv4/IPv6
Usage:
# Default: Prefer IPv4
prtip -sS -p 80,443 example.com
# Force IPv6 (prefer AAAA records)
prtip -sS -6 -p 80,443 example.com
# Force IPv4 (prefer A records)
prtip -sS -4 -p 80,443 example.com
# Show DNS resolution details
prtip -sS -6 -vvv -p 80,443 example.comExample Output (with -vvv):
[DEBUG] Resolving example.com (prefer IPv6)...
[DEBUG] DNS query: example.com AAAA
[DEBUG] DNS response: 2606:2800:220:1:248:1893:25c8:1946
[DEBUG] DNS query: example.com A
[DEBUG] DNS response: 93.184.216.34
[INFO] Selected: 2606:2800:220:1:248:1893:25c8:1946 (IPv6)
Scanning 2606:2800:220:1:248:1893:25c8:1946...
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Error Message:
Error: IPv6 not supported on this interface
Causes:
- IPv6 disabled in OS
- Network interface has no IPv6 address
- IPv6 kernel module not loaded
Solutions:
# Check IPv6 status (Linux)
ip -6 addr show
sysctl net.ipv6.conf.all.disable_ipv6
# Enable IPv6 (Linux)
sudo sysctl -w net.ipv6.conf.all.disable_ipv6=0
sudo sysctl -w net.ipv6.conf.default.disable_ipv6=0
# Check IPv6 status (macOS)
ifconfig | grep inet6
# Enable IPv6 (macOS)
sudo networksetup -setv6automatic Wi-Fi
# Check IPv6 status (Windows)
netsh interface ipv6 show config
# Enable IPv6 (Windows)
netsh interface ipv6 installError Message:
Warning: NDP timeout for fe80::1%eth0
Causes:
- Wrong interface specified
- Firewall blocking ICMPv6 Type 135/136
- Host not on local link
Solutions:
# List all interfaces
ip link show # Linux
ifconfig -a # macOS/BSD
ipconfig /all # Windows
# Verify link-local addresses on interface
ip -6 addr show eth0 # Linux
ifconfig en0 # macOS
# Test NDP manually (Linux)
ping6 -c 1 -I eth0 ff02::1 # All nodes multicast
# Disable IPv6 firewall temporarily (TESTING ONLY)
sudo ip6tables -F # Linux
sudo pfctl -d # macOSSymptom: All UDP ports show as "open|filtered"
Causes:
- Firewall dropping ICMPv6 unreachable messages
- Rate limiting on ICMPv6 responses
- Long network path with packet loss
Solutions:
# Increase timeout (allow more time for ICMPv6)
prtip -sU --timeout 5000 -p 53,123,161 2001:db8::1
# Use aggressive timing (faster retries)
prtip -sU -T5 -p 53,123,161 2001:db8::1
# Target known-closed ports to verify ICMPv6 unreachable
prtip -sU -p 9999 2001:db8::1 # Should be "closed" if ICMPv6 worksError Message:
Error: Cannot connect to fe80::1: Invalid argument
Cause: Missing zone ID (interface specification)
Solution:
# WRONG: No zone ID
prtip -sS -p 80,443 fe80::1
# CORRECT: With zone ID
prtip -sS -p 80,443 fe80::1%eth0 # Linux
prtip -sS -p 80,443 fe80::1%en0 # macOS
prtip -sS -p 80,443 fe80::1%12 # Windows (interface index)Symptom: No response to ICMPv6 Echo (Type 128), but NDP works
Cause: Firewall allows NDP (required for IPv6) but blocks ICMP Echo
Solutions:
# Use NDP-only discovery (more reliable on local links)
sudo prtip --discovery --ndp-only 2001:db8::/120
# Check firewall rules (Linux)
sudo ip6tables -L -n | grep icmpv6
# Temporarily allow ICMPv6 Echo (TESTING ONLY)
sudo ip6tables -I INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
sudo ip6tables -I OUTPUT -p icmpv6 --icmpv6-type echo-reply -j ACCEPTIssue: Permission denied for raw sockets
Solution:
# Use sudo for SYN/UDP/Stealth/Discovery scans
sudo prtip -sS -p 80,443 2001:db8::1
# OR: Grant CAP_NET_RAW capability (persistent)
sudo setcap cap_net_raw=eip /path/to/prtipIssue: "Operation not permitted" when sending raw packets
Solution:
# Use sudo (required on macOS)
sudo prtip -sS -p 80,443 2001:db8::1
# Verify BPF device permissions
ls -l /dev/bpf*
# Should show: crw------- root wheel
# Grant temporary BPF access (ChmodBPF)
# https://github.com/wireshark/wireshark/blob/master/ChmodBPF/Issue: "Npcap not installed" error
Solution:
# Install Npcap from https://npcap.com/
# Download and run installer with "WinPcap API-compatible" option
# Verify Npcap installation
sc query npcap
# Should show: STATE: RUNNING
# Run as Administrator (required for raw sockets)
# Right-click ProRT-IP → Run as AdministratorIssue: IPv6 raw socket permission denied
Solution:
# Use sudo or doas
sudo prtip -sS -p 80,443 2001:db8::1
# OR: Add user to wheel group
sudo pw groupmod wheel -m username
# Verify IPv6 enabled
sysctl net.inet6.ip6.forwardingUse IPv6 When:
- Target network is dual-stack or IPv6-only
- Testing IPv6-specific vulnerabilities
- Assessing IPv6 security posture (often overlooked)
- Future-proofing network assessments
- ISP or cloud provider is IPv6-native
Use IPv4 When:
- Target network is IPv4-only (legacy)
- IPv6 firewall rules are too restrictive
- Faster scan required (slight performance advantage on some networks)
Use Both When:
- Comprehensive security assessment
- Dual-stack network with different firewall rules per protocol
- Comparing IPv4 vs IPv6 service availability
# No flags = prefer IPv4, fallback to IPv6
prtip -sS -p 80,443 example.comUse Case: General scanning, legacy networks
# Prefer IPv6, fallback to IPv4
prtip -sS --prefer-ipv6 -p 80,443 example.comUse Case: Modern networks, cloud environments, ISP testing
# Strict IPv6 mode (error on IPv4)
prtip -sS --ipv6-only -p 80,443 2001:db8::/120Use Case: IPv6-only networks, IPv6 security audits
# Explicit IPv4 + IPv6 (no fallback, both required)
prtip -sS -p 80,443 example.com \
$(dig +short example.com A) \
$(dig +short example.com AAAA)Use Case: Compare IPv4 vs IPv6 service parity
# T4 or T5 for IPv6 (higher parallelism)
prtip -sS -T4 -p 80,443 2001:db8::/120 # Aggressive
prtip -sS -T5 -p 80,443 2001:db8::/120 # Insane (risky)Rationale: IPv6 has slightly higher latency, aggressive timing compensates
# High concurrency for /120 subnet (256 hosts)
prtip -sS --max-concurrent 500 -p 80,443 2001:db8::/120
# Very high for /112 subnet (65K hosts, if feasible)
prtip -sS --max-concurrent 1000 -p 80,443 2001:db8::/112Rationale: IPv6 benefits from higher parallelism due to larger address space
# NDP is 2-3x faster than ICMP Echo on local links
sudo prtip --discovery --ndp-only fe80::/64%eth0Rationale: NDP multicast is more efficient than ICMP unicast on L2 segments
Router Advertisements (RA) Spoofing:
- Attackers can advertise rogue routers
- Use RA Guard on switches
- Monitor for unexpected RAs
NDP Exhaustion:
- Attackers can flood NDP cache
- Implement NDP rate limiting
- Use ND Inspection (IPv6 equivalent of ARP Inspection)
Extension Header Abuse:
- Fragmentation attacks (IPv6 fragmentation is end-to-end)
- Use firewalls to drop packets with excessive extension headers
Tunneling (6to4, Teredo):
- IPv6-in-IPv4 tunnels can bypass firewalls
- Scan for tunnel endpoints (UDP port 3544 for Teredo)
Rate Limiting:
# Polite scan (T2, low rate)
prtip -sS -T2 --max-rate 100 -p 80,443 2001:db8::/120Avoid Full /64 Scans:
# NEVER: Full /64 scan (18.4 quintillion addresses)
# prtip -sS -p 80,443 2001:db8::/64
# GOOD: Targeted /120 (256 addresses)
prtip -sS -p 80,443 2001:db8::/120Respect Firewall Responses:
- ICMPv6 Administratively Prohibited = "filtered" (stop scanning)
- No response = "open|filtered" (timeout indicates firewall)
Difference from IPv4:
- IPv6 routers do NOT fragment packets (only sender can fragment)
- Path MTU Discovery (PMTUD) is mandatory
- Minimum MTU: 1280 bytes (vs 68 bytes IPv4)
ProRT-IP Implementation (Phase 5 Planned):
# Fragment packets to evade firewalls (NOT YET IMPLEMENTED)
# sudo prtip -sS -f --mtu 1280 -p 80,443 2001:db8::1Fragmentation Header:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Header | Reserved | Fragment Offset |Res|M|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identification |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields:
- Next Header: Protocol after reassembly (TCP = 6, UDP = 17)
- Fragment Offset: 13 bits (offset in 8-byte units)
- M flag: More fragments (1 = more, 0 = last)
- Identification: 32 bits (unique per source/destination/packet)
Common Extension Headers:
- Hop-by-Hop Options (0)
- Routing (43)
- Fragment (44)
- Destination Options (60)
- Authentication Header (AH) (51)
- Encapsulating Security Payload (ESP) (50)
Processing Order:
IPv6 Header
→ Hop-by-Hop Options
→ Routing
→ Fragment
→ Destination Options
→ TCP/UDP/ICMP
ProRT-IP Support:
- Current: Hop-by-Hop, Routing, Fragment, Destination Options (parsing only)
- Phase 5: Custom extension header insertion for evasion
Purpose: Prevent address-based tracking
Mechanism:
- Temporary addresses generated from random Interface IDs
- Change every 1-7 days (configurable)
- Original address (derived from MAC) still used for servers
ProRT-IP Considerations:
# Privacy address may change during scan
# Use stable address for consistency
prtip -sS -p 80,443 2001:db8::1234:5678:90ab:cdef # Stable
# Privacy address (may change)
prtip -sS -p 80,443 2001:db8::a3f1:2b4c:9d8e:7f61 # TemporaryDetecting Privacy Addresses:
- Random IID (last 64 bits)
- No MAC-based pattern (EUI-64)
- Short-lived in DNS cache
Purpose: Efficient neighbor resolution (NDP)
Format:
Target Address: 2001:0db8:0000:0000:1234:5678:9abc:def0
Solicited-Node: ff02:0000:0000:0000:0000:0001:ff9a:bcdef0
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ff02::1:ff + last 24 bits of target
Algorithm:
fn solicited_node_multicast(target: Ipv6Addr) -> Ipv6Addr {
let octets = target.octets();
let last_24_bits = [octets[13], octets[14], octets[15]];
Ipv6Addr::new(
0xff02, 0, 0, 0,
0, 1,
0xff00 | (last_24_bits[0] as u16),
((last_24_bits[1] as u16) << 8) | (last_24_bits[2] as u16),
)
}ProRT-IP Usage:
- Discovery Engine automatically calculates solicited-node multicast
- Sends NS to multicast address
- All nodes on link process NS, target responds with NA
SLAAC (Stateless Address Autoconfiguration):
- No DHCP server required
- Address = Prefix (from RA) + EUI-64 or random IID
- Fast, automatic, no state
DHCPv6:
- Centralized address management
- Stateful (server tracks leases)
- Can provide DNS, NTP, other options
ProRT-IP Scanning:
# SLAAC network: Predictable addressing (EUI-64)
# MAC: 00:11:22:33:44:55
# IPv6: 2001:db8::211:22ff:fe33:4455
prtip -sS -p 80,443 2001:db8::211:22ff:fe33:4455
# DHCPv6 network: Query DHCP server for address list
# Use DHCPv6 logs or router NDP cache for targets
prtip -sS -p 80,443 $(cat dhcpv6-leases.txt)- RFC 8200: IPv6 Specification
- RFC 4443: ICMPv6 for IPv6
- RFC 4861: Neighbor Discovery Protocol
- RFC 4291: IPv6 Addressing Architecture
- RFC 5095: Deprecation of Type 0 Routing Headers
- RFC 6724: Default Address Selection
- RFC 4941: Privacy Extensions
- RFC 7217: Stable Privacy Addresses
- 00-ARCHITECTURE.md - System design with IPv6 notes
- 04-IMPLEMENTATION-GUIDE.md - IPv6 packet building code examples
- 06-TESTING.md - Cross-scanner IPv6 tests
- 14-NMAP-COMPATIBILITY.md - IPv6 flag compatibility matrix
- Nmap IPv6 Documentation
- IANA IPv6 Address Space (iana.org/assignments/ipv6-address-space)
- IPv6 Test Tools
- Hurricane Electric IPv6 Certification (ipv6.he.net/certification)
Document Version: 1.0 Last Updated: 2025-10-29 Sprint: 5.1 Phase 4.3 Maintainer: ProRT-IP Contributors Status: Production-Ready (100% IPv6 Scanner Coverage)