Port 5357 Hacktricks Link

I notice you're asking about "port 5357 hacktricks" — are you looking for security research related to port 5357 (often associated with WSDAPI / Web Services on Devices or Microsoft WER), or specifically for a known article or write‑up from HackTricks?

Just to clarify:

• Port 5357 is commonly used by:

  • WSD (Web Services on Dynamic Discovery) – can be abused for internal network scanning, reflection attacks, or information disclosure.
  • Microsoft Windows Remote Management (WinRM) alternative ports / WER (Windows Error Reporting) in some configurations.
  • In some cases, HTTP/HTTPS based device management interfaces.

• HackTricks (by Carlos Polop) is a well‑known pentesting and CTF resource, but as far as I’m aware, there is no dedicated “port 5357 HackTricks paper” in the official HackTricks repository. There might be:

  • A mention of port 5357 inside a broader article (e.g., Windows network attacks, UPNP/WSD abuse, or port scanning).
  • A community write‑up inspired by HackTricks methodology.
  • A third‑party paper referencing both.

Could you clarify what exactly you’re looking for? For example: port 5357 hacktricks

• A known vulnerability or attack vector involving port 5357?
• A specific HackTricks page (maybe you remember a title or keyword)?
• A security white paper that covers port 5357 + HackTricks techniques?

If you’re trying to find if port 5357 is interesting for pentesting:
Yes — it can sometimes be exploited for SSRF, internal host discovery, or NTLM relay if a vulnerable service is listening. Check if the service responds to http://<target>:5357 — some WSD implementations leak system information.

Port 5357 is a common sight during Windows penetration tests, often identified as Microsoft HTTPAPI httpd 2.0 or WSDAPI (Web Services for Devices API). While often overlooked, it serves as a critical discovery point for local network reconnaissance and legacy exploitation. Service Overview: WSDAPI

WSDAPI is Microsoft's implementation of the WS-Discovery protocol. It allows Windows machines to automatically discover and communicate with network-connected devices like printers, scanners, and file shares without manual configuration. Port 5357 (TCP): Used for HTTP-based communication. Port 5358 (TCP): Used for HTTPS-based communication. Port 3702 (UDP): Used for multicast discovery. Reconnaissance & Enumeration

When you encounter port 5357, the first step is to confirm the service and identify potential information leaks. 1. Nmap Service Detection I notice you're asking about "port 5357 hacktricks"

A standard version scan will often reveal the underlying HTTP server. nmap -sV -p 5357 Use code with caution. Copied to clipboard

Expected Output: 5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP). 2. Information Disclosure

Port 5357 can leak metadata useful for fingerprinting the target.

Hostnames & Device Names: WSD often broadcasts the actual name of the computer or printer. Port 5357 is commonly used by:

OS Fingerprinting: The specific response from Microsoft-HTTPAPI/2.0 can help narrow down Windows versions (commonly seen in Vista, Windows 7, and Server 2008). Vulnerabilities & Exploitation 1. Remote Code Execution (MS09-063 / CVE-2009-2512)

This is the most critical historic vulnerability associated with port 5357. Microsoft Security Bulletin MS09-063 - Critical

Example detection signatures (IDS/Suricata/snort)

• HTTP requests to port 5357 containing SOAP actions like GetDeviceInformation or GetServices.
• Large or malformed SOAP envelopes to :5357 (possible fuzzing/exploit attempts).
• Unexpected POSTs to /Device or /wsd endpoints from unusual hosts.

✅ NTLM Hash Capture (Relay Risk)

If the endpoint requires NTLM authentication (e.g., for GetPrinterData action), you can trigger an authentication attempt:

ntlmrelayx.py -tf targets.txt -smb2support

Then convince a user on the target host to visit an attacker-controlled SMB share or use a tool like responder + pxe to force a connection to http://target:5357/wsd.

✅ PrintNightmare over WSD (CVE-2021-1675)

If the WSD endpoint belongs to a print device, the host might be vulnerable to the PrintNightmare chain:

• Use MS-RPRN to coerce authentication from the print spooler to an attacker’s machine.
• WSD on port 5357 can be the relay target for NTLM captured from a domain controller.