Get Support

Request a Quote

Platform

IT Service & Endpoint Management

Cybersecurity & Data Protection

Platform Benefits

Free TrialsProduct RoadmapCase Studies
port 5357 hacktricks

ConnectWise has acquired zofiQ, a leading agentic AI company – see the announcement!
Solutions

By Organization

By Need

By Product Category

Free TrialsProduct RoadmapCase Studies
port 5357 hacktricks

The first and only true MSP platform
Resources

Training & Resources

Events & Communities

Product SupportResource LibraryPartner Program
port 5357 hacktricks

Let’s meet up at the industry’s largest MSP event!
About Us

About Us

News & Press

port 5357 hacktricks

See why ConnectWise is the leading partner for IT businesses
ConnectWise
;
port 5357 hacktricks

Port 5357 Hacktricks

Port 5357 Hacktricks

The metadata URL is XML that contains actions (operations) the device supports.

curl http://10.10.10.5:5357/wsd/3f8c2a1b/metadata

Look for <wsdp:Get> – this allows you to request internal device info.

Port 5357 is more than just an obscure port – it’s a potential entry point for unauthenticated info leaks, NTLM relaying, and legacy RCE. While not as juicy as 445, it’s often overlooked, making it a reliable target for lateral movement during internal penetration tests. If you see 5357 open, treat it as a lead, not a dead end.

Remember: in red teaming, every open port is a story waiting to be exploited.

This article is part of the HackTricks-style knowledge base. Always perform attacks only on systems you own or have explicit permission to test.

Port 5357: WSDAPI Enumeration and Penetration Testing Port 5357 (TCP) is primarily used by the Web Services for Devices API (WSDAPI), Microsoft's implementation of the WS-Discovery protocol. It allows Windows systems to automatically discover and communicate with network-connected devices like printers, scanners, and file shares over HTTP. In a penetration testing context, this port is often a target for fingerprinting Windows environments or exploiting legacy memory corruption vulnerabilities. Service Overview

WSDAPI facilitates a "plug-and-play" network experience. It typically utilizes: TCP Port 5357: HTTP-based communication. TCP Port 5358: HTTPS-based communication (secure channel). UDP Port 3702: Multicast discovery (WS-Discovery).

The service is generally active on Windows Vista, Windows 7, Windows 10, and Windows Server 2008 and later. Enumeration and Information Gathering

During a network assessment, port 5357 is highly useful for fingerprinting the target system. 1. Nmap Scanning

You can use Nmap to identify the service and its version. Since it runs over HTTP, standard service discovery flags are effective: nmap -p 5357 -sV Use code with caution.

Nmap typically identifies this as http or microsoft-httpapi. If the port appears open on every host in a subnet, it may be due to network-level forwarding or a firewall configuration rather than the service actually being active on every individual host. 2. Service Metadata

WSDAPI can leak significant metadata that aids in lateral movement: Hostnames and computer names. Device metadata such as printer models or scanner types. Network paths and file share locations. Known Vulnerabilities and Exploitation MS09-063: Memory Corruption (CVE-2009-2512)

One of the most critical vulnerabilities associated with WSDAPI is a stack-based buffer overflow.

Port 5357 – WSDAPI (Web Services for Devices) - PentestPad

Port 5357 is primarily associated with Web Services for Devices (WSDAPI)

, a Microsoft implementation used for discovering and communicating with network-connected devices like printers and scanners over HTTP. The Role of Port 5357

On modern Windows systems, Port 5357 (TCP) acts as a local web server for the

. It allows devices to advertise their presence and services on a local network without manual configuration. While useful for seamless hardware integration, it often presents a surface for information gathering during a security assessment. Security Implications and Pentesting According to methodologies found on resources like HackTricks

, every open port is a potential entry point or data source. For Port 5357, the primary risks include: Information Disclosure port 5357 hacktricks

: The service can leak metadata such as device hostnames, manufacturer details, and network paths. Attackers use this for fingerprinting

the internal network to identify specific Windows versions or hardware models. Vulnerability Surface

: Historically, this service has been susceptible to memory corruption. For example, Microsoft Security Bulletin MS09-063

addressed a critical vulnerability where specially crafted headers could lead to remote code execution. Lateral Movement

: By interacting with WSD, an attacker might identify other vulnerable devices on the subnet that wouldn't otherwise be visible through standard scanning. Practical Assessment Steps

If you encounter Port 5357 during a scan, consider the following: Identify the Process : Use commands like netstat -anb | find "5357"

to verify that the system is actively listening and to confirm it is indeed the Windows WSD service. Service Probing

: Attempt to browse the port via HTTP. While it may not serve a traditional webpage, it may respond with XML data or SOAP responses that reveal device identity. Network Context

: Note that this port is typically open in unmanaged or small office networks where "Network Discovery" is enabled. In highly secured environments, hardening recommendations

suggest blocking this port at the firewall level to prevent unnecessary information leakage. specific Nmap scripts for enumerating WSD services, or are you looking for firewall configuration steps to secure this port?

Port 5357 is used by Microsoft's Web Services for Devices API (WSDAPI) for local network discovery of devices like printers, and it is frequently targeted in penetration testing to gather host metadata and network information. Although not covered by HackTricks, this service often leaks information and can be mitigated by disabling Network Discovery in the Windows Control Panel or configuring firewall rules. More detailed port analysis can be found on PentestPad PentestPad

Port 5357 – WSDAPI (Web Services for Devices) - PentestPad

This report outlines the security implications of Port 5357 (TCP) , commonly used by the Web Services for Devices (WSDAPI)

in Windows environments, often referred to in penetration testing resources like HackTricks as a target for service discovery and potential exploitation. 1. What is Port 5357? WSDAPI (Web Services for Devices API) - WSDAPI.dll.

Enables automatic discovery of network-connected devices (printers, scanners, cameras) over HTTP, allowing them to communicate on local networks without needing central servers or manual configuration.

Usually open on Windows clients (Vista and later), IoT devices, and network printers. Associated Ports:

5357 (HTTP), 5358 (HTTPS), and 3702 (UDP - multicast for discovery). PentestPad 2. HackTricks & Pentesting Context: Common Risks

Penetration testers and hackers often target this port for the following reasons: Information Disclosure/Reconnaissance: The metadata URL is XML that contains actions

WSD can leak service details, including hostnames, printer names, network paths, and device metadata. This is valuable for fingerprinting the network. Unauthorized Access:

Poorly secured WSD services can expose printer admin pages, allowing attackers to manipulate or intercept print jobs. Lateral Movement:

Attackers use this port to identify internal devices to pivot from a workstation to network devices. PentestPad 3. Vulnerabilities and Exploits CVE-2009-2512 (MS09-063):

A significant memory corruption vulnerability exists where a crafted WS-Discovery message with an overly long MIME-Version string can lead to stack corruption and arbitrary code execution. WSDAPI RCE (CVE-2020-0796/Related):

A specially crafted packet sent to the WSDAPI can cause a crash (denial of service) or potentially allow Remote Code Execution (RCE). Attack Vectors:

Attackers on the local subnet (intranet) can send malicious packets to the service, though it is usually blocked by firewall settings from the public internet. 4. Mitigation and Security Best Practices Disable Network Discovery:

For public networks, deactivate Network Discovery to close the port. Firewall Configuration:

Ensure the Windows Firewall is active to restrict connections to the local network (LAN) only, preventing exposure to wider network segments. Patch Management:

Apply Microsoft updates, particularly those addressing WSDAPI vulnerabilities. 5. Investigation Commands To check if Port 5357 is open on a Windows system: netstat -anb | find "5357" Use code with caution. Copied to clipboard If the port is listening, it often shows:

TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING ```

Disclaimer: This report is based on information regarding network security and vulnerability research. Use code with caution. Copied to clipboard

Port 5357 – WSDAPI (Web Services for Devices) - PentestPad

Port 5357 is a common sight during Windows penetration tests, often identified as Microsoft HTTPAPI httpd 2.0 or WSDAPI (Web Services for Devices API). While often overlooked, it serves as a critical discovery point for local network reconnaissance and legacy exploitation. Service Overview: WSDAPI

WSDAPI is Microsoft's implementation of the WS-Discovery protocol. It allows Windows machines to automatically discover and communicate with network-connected devices like printers, scanners, and file shares without manual configuration. Port 5357 (TCP): Used for HTTP-based communication. Port 5358 (TCP): Used for HTTPS-based communication. Port 3702 (UDP): Used for multicast discovery. Reconnaissance & Enumeration

When you encounter port 5357, the first step is to confirm the service and identify potential information leaks. 1. Nmap Service Detection

A standard version scan will often reveal the underlying HTTP server. nmap -sV -p 5357 Use code with caution. Copied to clipboard

Expected Output: 5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP). 2. Information Disclosure Look for &lt;wsdp:Get&gt; – this allows you to

Port 5357 can leak metadata useful for fingerprinting the target.

Hostnames & Device Names: WSD often broadcasts the actual name of the computer or printer.

OS Fingerprinting: The specific response from Microsoft-HTTPAPI/2.0 can help narrow down Windows versions (commonly seen in Vista, Windows 7, and Server 2008). Vulnerabilities & Exploitation 1. Remote Code Execution (MS09-063 / CVE-2009-2512)

This is the most critical historic vulnerability associated with port 5357. Microsoft Security Bulletin MS09-063 - Critical

Port 5357 is used by the Web Services for Devices API (WSDAPI), a Microsoft implementation of the WS-Discovery protocol. It allows Windows systems to automatically discover and communicate with network devices like printers, scanners, and cameras over HTTP. Service Summary Service Name: wsdapi Common Banner: Microsoft-HTTPAPI/2.0 Protocol: HTTP over TCP (Port 5357) or HTTPS (Port 5358).

Discovery Mechanism: Often works in tandem with UDP Port 3702 (multicast) for initial discovery before moving to TCP 5357 for communication. Security Risks & Enumeration

While HackTricks does not currently have a dedicated page for "Port 5357," it appears in general Windows enumeration checklists and involves the following risks:

Information Disclosure: WSD can leak metadata including hostnames, device models (e.g., printer types), network paths, and unique device identifiers (GUIDs).

Legacy Remote Code Execution (RCE): A critical vulnerability (MS09-063 / CVE-2009-2512) allowed unauthenticated RCE via specially crafted WSD headers on Windows Vista and Server 2008.

Fingerprinting: The Microsoft-HTTPAPI/2.0 banner confirms a Windows-based web service is running, which helps attackers identify the target OS.

Lateral Movement: Exposed printer or scanner interfaces can sometimes be accessed without authentication, potentially allowing job manipulation or further reconnaissance within a local network. Mitigation Additional WS-Discovery Functionality - Win32 apps

I notice you're asking about "port 5357 hacktricks" — this likely refers to port 5357 and its potential relevance in penetration testing or security research, possibly documented on the HackTricks platform.

Here’s what I can tell you:

If the endpoint requires NTLM authentication (e.g., for GetPrinterData action), you can trigger an authentication attempt:

ntlmrelayx.py -tf targets.txt -smb2support

Then convince a user on the target host to visit an attacker-controlled SMB share or use a tool like responder + pxe to force a connection to http://target:5357/wsd.

Port 5357 is officially allocated to WSDAPI – Web Services for Devices on Windows. It is part of Microsoft’s implementation of the Devices Profile for Web Services (DPWS). Think of it as a "Plug and Play for the network" – devices (printers, scanners, media servers, IoT hubs) announce themselves and their capabilities via SOAP/HTTP.

By default, Windows 10/11, Server 2016/2019/2022 listen on 0.0.0.0:5357 when network discovery is enabled (turned on in "Network and Sharing Center").

Older Windows versions (7, Server 2008 R2, early 2016) had a RCE via crafted ProbeMatches message. Exploit code exists on Exploit-DB.