Currently there are no comfortable tools out which are able to check a system over network for IPv6 security issues. Neither Nessus nor any commercial security scanner is as far as I know able to scan IPv6 addresses.
ATTENTION: always take care that you only scan your own systems or after receiving a written order, otherwise legal issues are able to come up to you. CHECK destination IPv6 addresses TWICE before starting a scan.
With the IPv6-enabled netcat (see IPv6+Linux-status-apps/security-auditing for more) you can run a portscan by wrapping a script around which run through a port range, grab banners and so on. Usage example:
# nc6 ::1 daytime 13 JUL 2002 11:22:22 CEST |
NMap, one of the best portscaner around the world, supports IPv6 since version 3.10ALPHA1. Usage example:
# nmap -6 -sT ::1 Starting nmap V. 3.10ALPHA3 ( www.insecure.org/nmap/ ) Interesting ports on localhost6 (::1): (The 1600 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 53/tcp open domain 515/tcp open printer 2401/tcp open cvspserver Nmap run completed -- 1 IP address (1 host up) scanned in 0.525 seconds |
Strobe is a (compared to NMap) more a low budget portscanner, but there is an IPv6-enabling patch available (see IPv6+Linux-status-apps/security-auditing for more). Usage example:
# ./strobe ::1 strobe 1.05 (c) 1995-1999 Julian Assange <proff@iq.org>. ::1 2401 unassigned unknown ::1 22 ssh Secure Shell - RSA encrypted rsh ::1 515 printer spooler (lpd) ::1 6010 unassigned unknown ::1 53 domain Domain Name Server |
Note: strobe isn't really developed further on, the shown version number isn't the right one.
There are some IPv6 enabled online tools available which can support in testing inbound firewall configuration:
If the result of an audit mismatch your IPv6 security policy, use IPv6 firewalling to close the holes, e.g. using netfilter6 (see Firewalling/Netfilter6 for more).
Info: More detailed information concerning IPv6 Security can be found here: