Large scale IPv6 scanning over public networks using the typical methods of just checking every IP obviously does not work because of the massive number of potential addresses. This is obviously a problem for a person wanting to find random internet things to get into. There are not very many great solutions to scanning here (assuming you don't have access to a core router), so creative solutions must be used. What I've been playing around with is the following: 1: Download a copy of the BGP IPv6 RIB data 2: Convert the full data to just a list of prefixed (or use the router destinations). This can be done using the steps on https://uni.cubicchaos.net/blog/17 3: If using prefixes, try pinging the first address x:x:x:x:: and the second x:x:x:x::1. You'll often find that there's a router on one of these, which is at least something interesting. Issues/expantions with this method: 1: it's usually just routers that you find specifically on the first and second addresses. 2: prefixes like x:x:x::/48 would likely be split outside the view of BGP and could lead to finding more routers The first can be potentially expand by scanning the first 65536 addresses, since if the router is using DHCPv6, the first 65536 is a very common range. Of course, if the router is using SLAAC, you've got no hope of scanning that. The second can be expanded by just scanning through all the sub-prefixes that may be created, for instance, try x:x:x::/64, x:x:x:1:/64, and so on. This is probably only feasible to automate in prefixes announced as /48 or further, especially when implementing expansion 1. Using just the simple method, I've found over 2700 pingable addresses on what's probably less than a quarter of the data.