Port 5357 Hacktricks !!install!! Info

During a penetration test or internal audit, port 5357 presents itself as an active HTTP endpoint. 1. Nmap Identification

5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Service Unavailable Use code with caution. Interrogating the Web API

In local network environments, services tied to network discovery can sometimes be coerced into authenticating against an attacker-controlled machine. While tools like Responder target LLMNR/NBT-NS (UDP 137/138) or mDNS, WSD configurations can occasionally be manipulated to force a machine to initiate an outbound SMB connection, exposing NTLM hashes for cracking or relaying. 4. Remediation and Hardening

curl http://<target>:5357/

During the internal phase of a penetration test, Port 5357 helps map the active network topology. By listening to WSD broadcast requests or querying the endpoints, an attacker can pinpoint high-value targets like domain controllers, print servers, and executive workstations without generating noisy traffic on traditional SMB ports (like 445). 3. NTLM Relay and SSRF Targets port 5357 hacktricks

Device: http://10.10.10.5:5357/wsd/3f8c2a1b-... Type: Printer Friendly Name: HP LaserJet M402dw Metadata URL: http://10.10.10.5:5357/wsd/3f8c2a1b/metadata

Poorly secured WSD services can expose web-based admin pages for printers or scanners, potentially allowing attackers to view or submit print jobs.

WSDAPI (Web Services for Devices) / HTTP Commonly found on: Windows (Windows 7, 8, 10, Server editions) Protocol: HTTP (often REST-like SOAP/XML services)

is commonly used by:

"Web Services for Devices," Elena muttered to herself, opening a new tab in her browser. She navigated to HackTricks, the bible for modern penetration testers. She typed the port number into the search bar.

HackTricks often notes that port 5357 may be:

A standard service scan will usually identify the port as http using the Microsoft HTTPAPI httpd. nmap -p 5357 -sV -sC Use code with caution. Manual HTTP Enumeration

In a typical configuration, WSDAPI uses two primary ports: During a penetration test or internal audit, port

Port 5357 - Pentesting Web Services Dynamic Discovery (WSDAPI)

Historically, critical vulnerabilities like allowed remote code execution or blue-screen-of-death (BSOD) conditions via malformed HTTP requests sent to ports running the Microsoft-HTTPAPI.

Port 5357 – WSDAPI (Web Services for Devices) - PentestPad

When you map a network drive or add a network printer in Windows, the system frequently relies on this port to negotiate connections and query device capabilities. 2. Reconnaissance and Enumeration Interrogating the Web API In local network environments,