5357 Hacktricks - Port

If a vulnerability or misconfiguration allows an attacker to coerce a service running over port 5357 to authenticate against an attacker-controlled server, those credentials can be relayed to other machines on the network where SMB signing is disabled. 4. Remediation and Defense

If the application parses external XML schemas or allows pointing to remote web service definitions (WSDL), attackers can attempt:

Port 5357 is used by the , a Microsoft implementation of WS-Discovery. This service allows devices on a local network—like printers, scanners, and file shares—to advertise and discover services without a central server.

During the internal phase of a penetration test, Port 5357 helps map the active network topology. By listening to WSD broadcast requests or querying the endpoints, an attacker can pinpoint high-value targets like domain controllers, print servers, and executive workstations without generating noisy traffic on traditional SMB ports (like 445). 3. NTLM Relay and SSRF Targets

: HTTP (often managed by the Windows HTTP Server API, http.sys ) port 5357 hacktricks

Are you aiming for or internal network mapping ? Do you have administrative access to the target network?

Devices broadcast multi-cast messages over UDP 3702 to announce themselves. The system then transitions the session to TCP port 5357 for heavy unicast data retrieval.

: Devices send probe messages to locate services.

: While less common than port 80 or 443, if the service is misconfigured, it might be leveraged in NTLM relay attacks or for internal network scanning. Common Nmap Command nmap -sV -p 5357 Use code with caution. Copied to clipboard If a vulnerability or misconfiguration allows an attacker

A stack-based buffer overflow vulnerability. Attackers could send a crafted WS-Discovery message with an overly long "MIME-Version" string to execute arbitrary code with service-level privileges.

Port is used by the Web Services for Devices API (WSDAPI) , a Microsoft implementation of the WS-Discovery protocol . It allows Windows systems to automatically discover and communicate with network devices like printers, scanners, and cameras over HTTP. Service Summary Service Name: wsdapi Common Banner: Microsoft-HTTPAPI/2.0 Protocol: HTTP over TCP (Port 5357) or HTTPS (Port 5358).

"Recommendation: Block Port 5357/tcp on the perimeter firewall immediately. The exposed WS-Discovery service allowed for the enumeration of the primary Domain Controller hostname ('LEDGER-DC01') and internal network topology without authentication."

5357 (HTTP), 5358 (HTTPS), and 3702 (UDP - multicast for discovery). PentestPad 2. HackTricks & Pentesting Context: Common Risks This service allows devices on a local network—like

Port 5357 – WSDAPI (Web Services for Devices) - PentestPad

: Restrict access to port 5357 via Windows Defender Firewall. Ensure it is only accessible from trusted local subnets, or block it entirely on critical infrastructure like Domain Controllers and database servers.

WSDAPI typically listens on TCP 5357/5358 after receiving broadcast messages on UDP 3702. Capturing these broadcasts reveals a target's UUID (Universally Unique Identifier), which is required to trigger certain legacy vulnerabilities.