When a Windows machine has "Network Discovery" enabled, the operating system uses multicast over 3702/UDP to announce its presence or search for nearby peripherals. Once a handshake or local announcement completes, standard device control and event notification channel traffic transitions to a reliable TCP stream over Port 5357 (HTTP) or Port 5358 (HTTPS) .
She pulled up her terminal. According to HackTricks, the best way to interact with this service wasn't a complex exploit script, but a simple, specially crafted UDP packet sent to the multicast address. However, since she was testing from the outside, she had to target the specific IP directly.
Stop and disable the ( fdphost ) service.
The service responds to HTTP POST requests containing specific XML SOAP payloads. 2. Enumeration and Reconnaissance port 5357 hacktricks
Port 5357 runs the Web Services on Devices API over HTTP (WSDAPI). It allows Windows machines to discover and control devices on a local network using standard web service protocols. Why is it Exposed?
Port 5357 is used by Microsoft's Web Services for Devices API (WSDAPI) for local network discovery of devices like printers, and it is frequently targeted in penetration testing to gather host metadata and network information. Although not covered by HackTricks, this service often leaks information and can be mitigated by disabling Network Discovery in the Windows Control Panel or configuring firewall rules. More detailed port analysis can be found on PentestPad PentestPad
Usually open on Windows clients (Vista and later), IoT devices, and network printers. Associated Ports: When a Windows machine has "Network Discovery" enabled,
A specially crafted packet sent to the WSDAPI can cause a crash (denial of service) or potentially allow Remote Code Execution (RCE). Attack Vectors:
If you navigate to http:// :5357/ via a web browser or curl, you will typically receive a or a 400 Bad Request error. This is normal because the endpoint expects specific XML SOAP structures rather than standard browser requests. To see if the server responds, look at the HTTP headers: curl -I http:// :5357/ Use code with caution. Expected Response:
The "HackTricks" approach to this port typically involves information disclosure and enumeration rather than direct, modern exploits. 🛠️ Feature: Service Information Enumeration According to HackTricks, the best way to interact
The primary "feature" of an open port 5357 is its ability to leak metadata about the host and its connected peripherals.
If you encounter Port 5357 during a scan, you can use these methods to gather more information:
Querying the HTTP headers or the WSD XML payloads often reveals: Exact computer hostnames. Internal Active Directory domain names. Operating system build versions. Device Functionality Discovery
You can utilize native Windows PowerShell commands to query WSD infrastructure directly without uploading external binaries: powershell