Skip to content
ProtocolPorts

Port reference

Port 547 (UDP) – DHCPv6 Server

DHCPv6 server — assigns IPv6 addresses and network options to clients on a link.

udpWell-knownCommonly attacked

Default state

Open on DHCPv6 servers and relays. IPv6 is enabled by default on Windows, leaving clients receptive to rogue DHCPv6 even where it is unused.

Common attacks

  • Rogue DHCPv6 server hijacking client IPv6 configuration
  • mitm6 — DNS takeover via DHCPv6 to relay NTLM in Active Directory
  • DNS server option injection to redirect resolution
  • Denial of service through address-pool exhaustion

Hardening

  • Disable IPv6 or DHCPv6 on clients where it is not used
  • Enable DHCPv6 Guard / RA Guard on switch ports
  • Enforce LDAP signing and channel binding to neutralise mitm6 relay
  • Restrict DHCPv6 to authorised servers and monitor for rogue responders
  • Segment and inspect IPv6 traffic, not just IPv4

nmap snippet

nmap -6 -sU -p547 --script dhcp6-discover <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 547?

Port 547 is the DHCPv6 server port. On IPv6 networks, DHCPv6 servers and relays listen on UDP 547 to assign IPv6 addresses and distribute network options — DNS servers, domain search lists, and more — to clients, which reply from UDP 546. It is the IPv6 counterpart to IPv4 DHCP on ports 67/68. Crucially, modern Windows enables IPv6 by default and prefers it over IPv4, so clients listen for DHCPv6 even on networks that never deployed it.

Why it matters for security

Because Windows favours IPv6, an attacker who answers DHCPv6 requests can quietly control a client's network configuration before legitimate IPv4 services even respond. The infamous mitm6 attack abuses this: a rogue DHCPv6 server assigns itself as the victim's DNS server, intercepts name resolution, and coerces NTLM authentication that is then relayed to LDAP — a powerful path to Active Directory takeover.

How it's attacked

Tools like mitm6 spin up a rogue DHCPv6 responder, win the race against any real server, and inject a malicious DNS server option. Victim traffic is funnelled through the attacker, who relays NTLM to LDAP or other services to add a computer account or grant rights. Attackers also exhaust the address pool for denial of service.

Hardening checklist

Disable IPv6 or DHCPv6 on clients where it is genuinely unused. Enable DHCPv6 Guard and RA Guard on access switches to drop rogue responses. Enforce LDAP signing and channel binding so relayed NTLM fails. Restrict DHCPv6 to authorised servers, monitor for rogue responders, and inspect IPv6 traffic as thoroughly as IPv4. The nmap script above discovers DHCPv6 servers on networks you are authorised to test. </content>

Related ports

Port 546Port 67Port 68Port 389

Frequently asked questions

What is port 547 used for?
Port 547 is the DHCPv6 server port. Servers and relays listen on UDP 547 to hand out IPv6 addresses, DNS servers, and other network options to clients (which use port 546).
Why is DHCPv6 dangerous in Active Directory?
Windows prefers IPv6, so a rogue DHCPv6 server (mitm6) can become the client's DNS server, redirect authentication, and relay NTLM to LDAP for domain takeover.