A hostname with an IPv6 address is stored as a AAAA resource record in DNS (see AAAA record). There are many DNS hostname bruteforcing tools, personally I like Fierce. Suppose we have already run our hostname bruteforcing tool against a target domain (e.g. facebook.com). Below we use dig to do a AAAA record lookup for each hostname. Note, the DNS server we use matters. In this example we use 8.8.8.8, to confirm different results try using a.ns.facebook.com instead. Host can also be used instead of dig:

1
2
3
4
5
6
7
8

$> cat fb_hosts.txt | while read line; do echo $line" Results:" && dig @8.8.8.8 +noall +answer AAAA $line && echo; done
mobile.facebook.com Results:

ipv6.facebook.com Results:

www.facebook.com Results:
www.facebook.com. 1903    IN  CNAME   star.c10r.facebook.com.
star.c10r.facebook.com.   30  IN  AAAA    2a03:2880:f00b:900:face:b00c:0:1

An offline/quieter way is to use the DNS Record (ANY) set from the Internet-Wide Scan Data Repository done by Rapid7. Using facebook.com as an example again:

1

$> pigz -dc 20140310_dnsrecords.gz | grep -i "\.facebook\.com" | grep AAAA

This didn’t turn up very many results but we can combine the two:

1
2
3
4
5

$> pigz -dc 20140310_dnsrecords.gz | zgrep "\.facebook\.com" | grep ",A," | cut -d"," -f1 | while read line; do echo $line" Results:" && dig @8.8.8.8 +noall +answer AAAA $line && echo; done
...
z.c10r.facebook.com Results:
z.c10r.facebook.com.    59      IN      AAAA    2a03:2880:f00b:305:face:b00c:0:1
...

You get the idea =). Not a new concept or technique, just wanted to put some notes in one place.