Hacktricks [portable] — Port 5357

Port 5357: WSDAPI Enumeration and Penetration Testing Port 5357 (TCP) is primarily used by the Web Services for Devices API (WSDAPI), Microsoft's implementation of the WS-Discovery protocol. It allows Windows systems to automatically discover and communicate with network-connected devices like printers, scanners, and file shares over HTTP. In a penetration testing context, this port is often a target for fingerprinting Windows environments or exploiting legacy memory corruption vulnerabilities. Service Overview

The discovery process usually begins with a multicast message over UDP port 3702. Once a device is discovered and a handshake is completed, further communication and data exchange move to TCP port 5357 (HTTP) or TCP port 5358 (HTTPS).

Conclusion

If you encounter Port 5357 during a scan, you can use these methods to gather more information: 

This allows applications like the Windows Print Spooler or Windows Fax and Scan to communicate directly with WSD-enabled hardware. Many network printers from manufacturers like HP, Brother, Canon, and Epson expose a WSD endpoint on this port by default. Penetration Testing and Information Leakage port 5357 hacktricks

Device: http://10.10.10.5:5357/wsd/3f8c2a1b-...
Type: Printer
Friendly Name: HP LaserJet M402dw
Metadata URL: http://10.10.10.5:5357/wsd/3f8c2a1b/metadata

Information Leakage Check:Port 5357 has been noted as a potential source for information leaks. Use tools like curl to check for XML responses that might reveal device names, manufacturer details, or network configurations. curl -v http://:5357/ Use code with caution. Copied to clipboard

Step 3: Command Injection via WSD Action Some WSD implementations accept a Set action. Fuzzing the metadata might reveal an action like SetSystemTime or ExecuteCommand (rare but happens in embedded devices). Port 5357: WSDAPI Enumeration and Penetration Testing Port

Her job was simple: find the weakness before the bad guys did.