The service listening on port 5357 is typically or Function Discovery Resource Publication . It operates over HTTP (not HTTPS by default) and responds to HTTP GET requests and SOAP-based messages. The endpoint often exposes device metadata and available actions.
Introduction In the landscape of network reconnaissance and exploitation, certain ports become synonymous with specific attack vectors. Port 5357 is one such port. While not as universally recognized as port 445 (SMB) or 3389 (RDP), port 5357 serves a critical role in modern Windows ecosystems. From a Hacktricks perspective—meaning the practical, offensive-oriented knowledge base curated by the Hacktricks community (book.hacktricks.xyz)—port 5357 is associated with WSDAPI (Web Services Dynamic Discovery API) and, more notably, the Function Discovery Resource Publication Service . This essay explores the technical nature of port 5357, its exposure to attackers, enumeration techniques, potential exploitation paths, and the defensive measures necessary to prevent its abuse. 1. Technical Background: What Runs on Port 5357? Port 5357 is primarily used by Microsoft’s Web Services on Devices (WSD) stack, specifically the WSDAPI (Web Services Dynamic Discovery API). This service allows networked devices—such as printers, scanners, media servers, and UPnP-like devices—to advertise their presence and capabilities to Windows hosts without requiring manual configuration. port 5357 hacktricks
nmap -p 5357 --script=http-enum,wsd-discover <target> Or masscan for speed: The service listening on port 5357 is typically
masscan -p5357 --rate=10000 <subnet> A simple HTTP GET request to http://<target>:5357/ may return a response containing "Web Services Dynamic Discovery" or an XML device description. Introduction In the landscape of network reconnaissance and
Using curl :
curl http://<target>:5357/ Using wsdd (Web Services Dynamic Discovery) tools, one can enumerate devices: