Recently SI6 released the IPv6 Toolkit 1.3   This release is on the heels of this IETF draft  on IPv6 host scanning.  It was long thought that scanning an IPv6 network was impossible.  The address space was too large and reliably ascertaining the hosts from it would be too time consuming to even attempt.  However, as Dr. Hans Zarkov says in the 1980 classic cult film of my youth, Flash Gordon, “You can’t beat the human spirit!”  That fine community out there has thought outside the box and found a way.

I’m a network engineer by profession, but I’ve been a security guy more than once during my ~15 years doing IT work; I think there is definite value in studying “the dark side” and learning it’s power.  Couple that with my zealotry of IPv6….and I’ve found a time vortex.
Scanning IPv6 is not like scanning IPv4.   It can’t be.  A /64 network has 18,446,744,073,709,551,616 (18 quintillion) unique addresses and a /64 is the default allocation for an end user subnet.  Have fun scanning that one by one.  The methodology used by scan6 is pretty innovative, but first you have to build it.
The IPv6 toolkit is available via download here.  It is current;y supported under FreeBSD, NetBSD, OpenBSD, Linux, and Mac OS X.  I’ve chosen to build mine on my laptop, a macbook pro running OS 10.8.
It’s pretty straightforward to build assuming you have the Developers Tools and CLI support added.
(~/Downloads/ipv6-toolkit-v1.3) Tardis $ make
gcc -Wall -o flow6 tools/flow6.c -lpcap -lm
gcc -Wall -o frag6 tools/frag6.c -lpcap -lm
gcc -Wall -o icmp6 tools/icmp6.c -lpcap -lm
gcc -Wall -o jumbo6 tools/jumbo6.c -lpcap -lm
gcc -Wall -o na6 tools/na6.c -lpcap -lm
gcc -Wall -o ni6 tools/ni6.c -lpcap -lm
gcc -Wall -o ns6 tools/ns6.c -lpcap -lm
gcc -Wall -o ra6 tools/ra6.c -lpcap -lm
gcc -Wall -o rd6 tools/rd6.c -lpcap -lm
gcc -Wall -o rs6 tools/rs6.c -lpcap -lm
gcc -Wall -o scan6 tools/scan6.c -lpcap -lm
gcc -Wall -o tcp6 tools/tcp6.c -lpcap -lm
 
That’s it.  If you want to install it in the global environment, to a “make install”
Now for the good stuff.  The docs are well written for this tool. Here is an example of scanning a local segment in verbose mode and the output:
(~/Downloads/ipv6-toolkit-v6.8) tardis $ sudo ./scan6 -i en6 -l -e -v
Link-local addresses:
fe80::20d:b9ff:fe68:8ca6 @ 00:0d:b9:68:8c:a6
fe80::264:d6ff:fe25:9704 @ 00:64:d6:25:97:04
fe80::26f:f8ff:fe06:dcb4 @ 00:6f:f8:06:dc:b4
fe80::22cf:80ff:fea8:ec26 @ 20:cf:80:a8:ec:26
fe80::224:86ff:fe9f:c628 @ 00:24:86:9f:c6:28
fe80::267:f2ff:fe52:8574 @ 00:67:f2:52:85:74
fe80::8ed0:f8ff:fe8a:4d29 @ 8c:d0:f8:8a:4d:29
fe80::62fa:cdff:fe86:62bd @ 60:fa:cd:86:62:bd
fe80::629a:ddff:fe45:6c08 @ 60:9a:dd:45:6c:08
Global addresses:
2001:db8:86c0:24::6 @ 00:0d:b9:68:8c:a6
2001:db8:86c0:24:224:86ff:fe9f:c628 @ 00:24:86:9f:c6:28
2001:db8:86c0:24:22cf:80ff:fea8:ec26 @ 20:cf:80:a8:ec:26
2001:db8:86c0:24:26f:f8ff:fe06:dcb4 @ 00:6f:f8:06:dc:b4
2001:db8:86c0:24:267:f2ff:fe52:8574 @ 00:67:f2:52:85:74
2001:db8:86c0:24:62fa:cdff:fe86:62bd @ 60:fa:cd:86:62:bd
2001:db8:86c0:24:8ed0:f8ff:fe8a:4d29 @ 8c:d0:f8:8a:4d:29
2001:db8:86c0:24:629a:ddff:fe45:6c08 @ 60:9a:dd:45:6c:08
This example,  taken straight from the documentation and run on my local network (with MAC and v6 addresses changed to protect the innocent), will “Perform host scanning on the local network (“-l” option) using interface “eth0” (“-i” option). Use both ICMPv6 echo requests and unrecognized IPv6 options of type 10xxxxxx (default). Print link- link layer addresses along with IPv6 addresses (“-e” option). Be verbose (“-v” option).”
One of the interesting things I saw available in this scan6 tool was the ability to narrow down a search based on a known OUI.  If someone wanted to search for virtual machines hosted by VMWare host and the IPv4 address of the VMWare host is known, this command would be useful for scanning from a host off net, scanning a network in the lab area: