- A
Perform a full TCP SYN scan on the entire /64 subnet using Nmap with IPv6 addressing
Why wrong: A full scan of a /64 subnet (2^64 addresses) is impractical due to the immense address space; it would take an extremely long time and generate excessive traffic.
- B
Ping the IPv6 all-nodes multicast address (ff02::1) and analyze the responses to discover active hosts
Sending an ICMPv6 echo request to ff02::1 will trigger responses from all hosts that respond to multicast pings, quickly revealing active IPv6 addresses without scanning the entire subnet.
- C
Request the DHCPv6 server log from the network administrator to obtain a list of assigned IPv6 addresses
Why wrong: This relies on the administrator's cooperation and may not include statically addressed hosts; also not a tester technique.
- D
Use the `ip neighbor` command on the tester's machine to view the IPv6 neighbor cache after generating traffic
Why wrong: The neighbor cache only shows hosts the tester's machine has recently communicated with; it requires prior traffic and is not a discovery technique itself.
Quick Answer
The answer is pinging the IPv6 all-nodes multicast address (ff02::1) and analyzing the responses. This technique is most effective for IPv6 host discovery because IPv6 mandates that every host join the all-nodes multicast group on the local link by default, so a single multicast ping triggers a reply from every active IPv6-enabled device without needing to scan individual addresses. On the CompTIA PenTest+ PT0-002 exam, this question tests your understanding of IPv6’s inherent multicast behavior versus traditional IPv4 broadcast scanning, and a common trap is confusing ff02::1 with the solicited-node multicast address (ff02::1:ffxx:xxxx) used for neighbor discovery. The key memory tip is to think of ff02::1 as the IPv6 equivalent of a broadcast ping—one packet, all hosts reply—making it the stealthiest way to map a local link during internal reconnaissance.
PT0-002 Practice Question: ff02::1 is the IPv6 all-nodes multicast address.
This PT0-002 practice question tests your understanding of information gathering and vulnerability scanning. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. A key principle to apply: ff02::1 is the IPv6 all-nodes multicast address.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A penetration tester is performing internal reconnaissance on a network that uses IPv6. The tester wants to discover alive hosts and their IPv6 addresses without sending many packets. Which technique is most effective for this purpose?
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
Ping the IPv6 all-nodes multicast address (ff02::1) and analyze the responses to discover active hosts
Option B is correct because sending a ping to the IPv6 all-nodes multicast address (ff02::1) triggers a response from all active hosts on the local link that have IPv6 enabled, allowing the tester to discover alive hosts and their IPv6 addresses with minimal packets. This technique leverages the inherent multicast behavior of IPv6, where hosts join the all-nodes multicast group by default, making it highly efficient for reconnaissance without scanning each address individually.
Key principle: ff02::1 is the IPv6 all-nodes multicast address.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✗
Perform a full TCP SYN scan on the entire /64 subnet using Nmap with IPv6 addressing
Why it's wrong here
A full scan of a /64 subnet (2^64 addresses) is impractical due to the immense address space; it would take an extremely long time and generate excessive traffic.
- ✓
Ping the IPv6 all-nodes multicast address (ff02::1) and analyze the responses to discover active hosts
Why this is correct
Sending an ICMPv6 echo request to ff02::1 will trigger responses from all hosts that respond to multicast pings, quickly revealing active IPv6 addresses without scanning the entire subnet.
Related concept
ff02::1 is the IPv6 all-nodes multicast address.
- ✗
Request the DHCPv6 server log from the network administrator to obtain a list of assigned IPv6 addresses
Why it's wrong here
This relies on the administrator's cooperation and may not include statically addressed hosts; also not a tester technique.
- ✗
Use the `ip neighbor` command on the tester's machine to view the IPv6 neighbor cache after generating traffic
Why it's wrong here
The neighbor cache only shows hosts the tester's machine has recently communicated with; it requires prior traffic and is not a discovery technique itself.
Common exam traps
Common exam trap: answer the scenario, not the keyword
The trap here is that candidates may overlook the efficiency of multicast-based discovery and instead choose a brute-force scan (Option A), not realizing that IPv6 subnets are far too large for exhaustive scanning, or they may mistakenly think DHCPv6 logs (Option C) are always available or reliable in IPv6 environments where SLAAC is common.
Trap categories for this question
Command / output trap
The neighbor cache only shows hosts the tester's machine has recently communicated with; it requires prior traffic and is not a discovery technique itself.
Detailed technical explanation
How to think about this question
The all-nodes multicast address ff02::1 is a link-local scope multicast group that all IPv6-enabled hosts must join, as defined in RFC 4291. When a ping (ICMPv6 Echo Request) is sent to this address, each host responds with its own unicast IPv6 address, providing a quick inventory of live nodes. In real-world scenarios, firewalls may block ICMPv6, but on internal networks without such restrictions, this technique is stealthy and efficient for initial reconnaissance.
KKey Concepts to Remember
- ff02::1 is the IPv6 all-nodes multicast address.
- ICMPv6 Echo Requests to ff02::1 solicit replies from all active hosts.
- Multicast pings are efficient for IPv6 host discovery on a local link.
- This technique leverages IPv6's built-in neighbor discovery mechanisms.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
ff02::1 is the IPv6 all-nodes multicast address.
Real-world example
How this comes up in practice
A security team runs a vulnerability scan on a web application and discovers an unpatched SQL injection flaw. The team prioritises remediation by CVSS score — critical flaws are patched within 24 hours, high within 7 days. Questions like this test whether you understand vulnerability management processes, scanning tools, and remediation prioritisation.
What to study next
Got this wrong? Here's your next step.
Review ff02::1 is the IPv6 all-nodes multicast address., then practise related PT0-002 questions on the same topic to reinforce the concept.
- →
Information Gathering and Vulnerability Scanning — study guide chapter
Learn the concepts, then practise the questions
- →
Information Gathering and Vulnerability Scanning practice questions
Targeted practice on this topic area only
- →
All PT0-002 questions
509 questions across all exam domains
- →
CompTIA PenTest+ PT0-002 study guide
Full concept coverage aligned to exam objectives
- →
PT0-002 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related PT0-002 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Planning and Scoping practice questions
Practise PT0-002 questions linked to Planning and Scoping.
Information Gathering and Vulnerability Scanning practice questions
Practise PT0-002 questions linked to Information Gathering and Vulnerability Scanning.
Attacks and Exploits practice questions
Practise PT0-002 questions linked to Attacks and Exploits.
Reporting and Communication practice questions
Practise PT0-002 questions linked to Reporting and Communication.
Tools and Code Analysis practice questions
Practise PT0-002 questions linked to Tools and Code Analysis.
PT0-002 fundamentals practice questions
Practise PT0-002 questions linked to PT0-002 fundamentals.
PT0-002 scenario practice questions
Practise PT0-002 questions linked to PT0-002 scenario.
PT0-002 troubleshooting practice questions
Practise PT0-002 questions linked to PT0-002 troubleshooting.
Practice this exam
Start a free PT0-002 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this PT0-002 question test?
Information Gathering and Vulnerability Scanning — This question tests Information Gathering and Vulnerability Scanning — ff02::1 is the IPv6 all-nodes multicast address..
What is the correct answer to this question?
The correct answer is: Ping the IPv6 all-nodes multicast address (ff02::1) and analyze the responses to discover active hosts — Option B is correct because sending a ping to the IPv6 all-nodes multicast address (ff02::1) triggers a response from all active hosts on the local link that have IPv6 enabled, allowing the tester to discover alive hosts and their IPv6 addresses with minimal packets. This technique leverages the inherent multicast behavior of IPv6, where hosts join the all-nodes multicast group by default, making it highly efficient for reconnaissance without scanning each address individually.
What should I do if I get this PT0-002 question wrong?
Review ff02::1 is the IPv6 all-nodes multicast address., then practise related PT0-002 questions on the same topic to reinforce the concept.
What is the key concept behind this question?
ff02::1 is the IPv6 all-nodes multicast address.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Last reviewed: Jun 11, 2026
This PT0-002 practice question is part of Courseiva's free CompTIA certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the PT0-002 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.