Department of Defense
High Performance Computing Modernization Program

Vulnerability scanners are, for the most part, the same between Internet Protocol version 4 (IPv4) and IPv6, and many support both protocol families. These tools generally look for services or daemons that are running on a host and report their existence. The “good” scanners will also test these services and daemons for potential vulnerabilities. Daemons are mostly IP version agnostic, so detection and vulnerability assessment is the same for IPv4 and IPv6. For a more in-depth discussion of the differences between scanning IPv4 and IPv6, see this article. The results of an analysis of penetration testing tools support for IPv6 is described here.

The main differences in IPv4 and IPv6 are in the ability to find hosts. It is rather easy to search a /24 IPv4 subnet. There are only 254 possible hosts. The smallest of IPv6 subnets are usually /64s (18 quintillion hosts!). You obviously cannot scan an entire /64 in a reasonable manner provided the addresses of the hosts on that subnet are securely assigned. Stateless Address Autoconfiguration (SLAAC) or Dynamic Host Configuration Protocol version 6 (DHCPv6) assigned addresses where the DHCPv6 server assigns randomized values are examples of secure assignment methods. Examples of insecure assignment methods include manually assigning host addresses sequentially over a small range, or embedding each host’s IPv4 address together with a static prefix/suffix in that host’s IPv6 address. 

An attacker must then rely on active discovery of network nodes by exploiting Internet Control Message Protocol version 6 (ICMPv6) vulnerabilities or by passively monitoring the network. Either way, rogue hosts can hide themselves if sufficiently configured. The same goes for IPv4 as well. Some say that there is a bright side to this: it is also harder for attackers to find hosts. But remember, attackers only have to find one vulnerable host, we have to protect them all!

See also this ipv6 security auditing article.