Question 27 of 509
Information Gathering and Vulnerability ScanninghardMultiple ChoiceObjective-mapped

Quick Answer

The answer is pinging the IPv6 all-nodes multicast address (ff02::1) and analyzing the responses. This technique is most effective for IPv6 host discovery because IPv6 mandates that every host join the all-nodes multicast group on the local link by default, so a single multicast ping triggers a reply from every active IPv6-enabled device without needing to scan individual addresses. On the CompTIA PenTest+ PT0-002 exam, this question tests your understanding of IPv6’s inherent multicast behavior versus traditional IPv4 broadcast scanning, and a common trap is confusing ff02::1 with the solicited-node multicast address (ff02::1:ffxx:xxxx) used for neighbor discovery. The key memory tip is to think of ff02::1 as the IPv6 equivalent of a broadcast ping—one packet, all hosts reply—making it the stealthiest way to map a local link during internal reconnaissance.

PT0-002 Practice Question: ff02::1 is the IPv6 all-nodes multicast address.

This PT0-002 practice question tests your understanding of information gathering and vulnerability scanning. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. A key principle to apply: ff02::1 is the IPv6 all-nodes multicast address.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A penetration tester is performing internal reconnaissance on a network that uses IPv6. The tester wants to discover alive hosts and their IPv6 addresses without sending many packets. Which technique is most effective for this purpose?

Question 1hardmultiple choice
Study the full IPv6 explanation →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Ping the IPv6 all-nodes multicast address (ff02::1) and analyze the responses to discover active hosts

Option B is correct because sending a ping to the IPv6 all-nodes multicast address (ff02::1) triggers a response from all active hosts on the local link that have IPv6 enabled, allowing the tester to discover alive hosts and their IPv6 addresses with minimal packets. This technique leverages the inherent multicast behavior of IPv6, where hosts join the all-nodes multicast group by default, making it highly efficient for reconnaissance without scanning each address individually.

Key principle: ff02::1 is the IPv6 all-nodes multicast address.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Perform a full TCP SYN scan on the entire /64 subnet using Nmap with IPv6 addressing

    Why it's wrong here

    A full scan of a /64 subnet (2^64 addresses) is impractical due to the immense address space; it would take an extremely long time and generate excessive traffic.

  • Ping the IPv6 all-nodes multicast address (ff02::1) and analyze the responses to discover active hosts

    Why this is correct

    Sending an ICMPv6 echo request to ff02::1 will trigger responses from all hosts that respond to multicast pings, quickly revealing active IPv6 addresses without scanning the entire subnet.

    Related concept

    ff02::1 is the IPv6 all-nodes multicast address.

  • Request the DHCPv6 server log from the network administrator to obtain a list of assigned IPv6 addresses

    Why it's wrong here

    This relies on the administrator's cooperation and may not include statically addressed hosts; also not a tester technique.

  • Use the `ip neighbor` command on the tester's machine to view the IPv6 neighbor cache after generating traffic

    Why it's wrong here

    The neighbor cache only shows hosts the tester's machine has recently communicated with; it requires prior traffic and is not a discovery technique itself.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates may overlook the efficiency of multicast-based discovery and instead choose a brute-force scan (Option A), not realizing that IPv6 subnets are far too large for exhaustive scanning, or they may mistakenly think DHCPv6 logs (Option C) are always available or reliable in IPv6 environments where SLAAC is common.

Trap categories for this question

  • Command / output trap

    The neighbor cache only shows hosts the tester's machine has recently communicated with; it requires prior traffic and is not a discovery technique itself.

Detailed technical explanation

How to think about this question

The all-nodes multicast address ff02::1 is a link-local scope multicast group that all IPv6-enabled hosts must join, as defined in RFC 4291. When a ping (ICMPv6 Echo Request) is sent to this address, each host responds with its own unicast IPv6 address, providing a quick inventory of live nodes. In real-world scenarios, firewalls may block ICMPv6, but on internal networks without such restrictions, this technique is stealthy and efficient for initial reconnaissance.

KKey Concepts to Remember

  • ff02::1 is the IPv6 all-nodes multicast address.
  • ICMPv6 Echo Requests to ff02::1 solicit replies from all active hosts.
  • Multicast pings are efficient for IPv6 host discovery on a local link.
  • This technique leverages IPv6's built-in neighbor discovery mechanisms.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

ff02::1 is the IPv6 all-nodes multicast address.

Real-world example

How this comes up in practice

A security team runs a vulnerability scan on a web application and discovers an unpatched SQL injection flaw. The team prioritises remediation by CVSS score — critical flaws are patched within 24 hours, high within 7 days. Questions like this test whether you understand vulnerability management processes, scanning tools, and remediation prioritisation.

What to study next

Got this wrong? Here's your next step.

Review ff02::1 is the IPv6 all-nodes multicast address., then practise related PT0-002 questions on the same topic to reinforce the concept.

Related practice questions

Related PT0-002 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free PT0-002 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this PT0-002 question test?

Information Gathering and Vulnerability Scanning — This question tests Information Gathering and Vulnerability Scanning — ff02::1 is the IPv6 all-nodes multicast address..

What is the correct answer to this question?

The correct answer is: Ping the IPv6 all-nodes multicast address (ff02::1) and analyze the responses to discover active hosts — Option B is correct because sending a ping to the IPv6 all-nodes multicast address (ff02::1) triggers a response from all active hosts on the local link that have IPv6 enabled, allowing the tester to discover alive hosts and their IPv6 addresses with minimal packets. This technique leverages the inherent multicast behavior of IPv6, where hosts join the all-nodes multicast group by default, making it highly efficient for reconnaissance without scanning each address individually.

What should I do if I get this PT0-002 question wrong?

Review ff02::1 is the IPv6 all-nodes multicast address., then practise related PT0-002 questions on the same topic to reinforce the concept.

What is the key concept behind this question?

ff02::1 is the IPv6 all-nodes multicast address.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Keep practising

More PT0-002 practice questions

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This PT0-002 practice question is part of Courseiva's free CompTIA certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the PT0-002 exam.