IPv6 actually makes such attacks more difficult, not less.
An attacker looking to be stealthy is not going to blast the network with nmap...
ARP is broadcast, NDP is solicited node multicast so simply by passively listening on the network you will discover nodes in the same layer 2 segment, with v6 and properly configured switches your passive discovery will be a lot more limited.
Other passive techniques would be monitoring things like DNS, and things the host you've compromised is actively communicating with. This isn't any different regardless of the protocol used.
You can also actively communicate with services like DNS or Active Directory and query information about the network, depending on your level of risk.
Just knowing the in-use IPv6 block is useless, the blocks are massive so even just identifying active hosts in a single known IPv6 block is a lot harder than simply scanning the entire RFC1918 legacy address space.
For active discovery, IPv6 is harder to attack - you can't scan the entire address block looking for hosts. The fact that such scans should be detected is exactly the same for either protocol. You also have to consider response time and what an attacker may be able to achieve before your response kicks in.
An attacker looking to be stealthy is not going to blast the network with nmap...
ARP is broadcast, NDP is solicited node multicast so simply by passively listening on the network you will discover nodes in the same layer 2 segment, with v6 and properly configured switches your passive discovery will be a lot more limited.
Other passive techniques would be monitoring things like DNS, and things the host you've compromised is actively communicating with. This isn't any different regardless of the protocol used.
You can also actively communicate with services like DNS or Active Directory and query information about the network, depending on your level of risk.
Just knowing the in-use IPv6 block is useless, the blocks are massive so even just identifying active hosts in a single known IPv6 block is a lot harder than simply scanning the entire RFC1918 legacy address space.
For active discovery, IPv6 is harder to attack - you can't scan the entire address block looking for hosts. The fact that such scans should be detected is exactly the same for either protocol. You also have to consider response time and what an attacker may be able to achieve before your response kicks in.
IPv6 makes it harder for attackers, not easier.