If network discovery and file sharing are not required on the server, disable the "Function Discovery Provider Host" and "Function Discovery Resource Publication" services.
gobuster dir -u http:// :5357/ -w /usr/share/wordlists/dirb/common.txt Use code with caution. Attack Vectors and Exploitation
If automatic device discovery is not needed in the enterprise environment, disable the following Windows services via Group Policy (GPO): Function Discovery Provider Host ( fdPHost ) Function Discovery Resource Publication ( FDResPub )
Port 5357 – WSDAPI (Web Services for Devices) - PentestPad
By querying this port, an attacker can discover hostnames, network paths, and unique device metadata. port 5357 hacktricks
Port 5357 is often encountered during internal network penetration tests and CTF challenges, particularly on Windows systems. While it can be a vector for remote code execution, understanding its nuances is key to assessing its risk accurately. This comprehensive guide explores enumeration, known vulnerabilities, exploitation scenarios, and hardening strategies for services running on this port.
Poorly secured WSD services can expose printer admin pages, allowing attackers to manipulate or intercept print jobs. Lateral Movement:
: Attempt to browse the port via HTTP. While it may not serve a traditional webpage, it may respond with XML data or SOAP responses that reveal device identity. Network Context
Since the service communicates over HTTP, hitting the root URL with a web browser or curl usually yields a default Windows HTTP error page. curl -i http:// :5357/ Use code with caution. If network discovery and file sharing are not
If you need specific commands, exploitation scenarios, or detailed enumeration steps for port 5357 as documented in HackTricks, I recommend checking the website directly or searching within their content.
She opened her report editor and began typing the executive summary.
A significant memory corruption vulnerability exists where a crafted WS-Discovery message with an overly long MIME-Version string can lead to stack corruption and arbitrary code execution. WSDAPI RCE (CVE-2020-0796/Related):
: If you are auditing an older, unpatched Windows Server or workstation, the HTTP protocol stack may be vulnerable to a remote code execution or Denial of Service (DoS) flaw via a maliciously crafted Range header.You can test for this vulnerability using curl : Port 5357 is often encountered during internal network
Get-CimInstance -Namespace root\standardcimv2 -ClassName MSFT_WSDDeviceProxy Use code with caution. 5. Defense and Mitigation Firewall Hardening
suggest blocking this port at the firewall level to prevent unnecessary information leakage. specific Nmap scripts for enumerating WSD services, or are you looking for firewall configuration steps to secure this port?
msfconsole use auxiliary/scanner/http/msf15_034_http_sys_memory_dump set RHOSTS set RPORT 5357 run Use code with caution. 2. Information Disclosure via WS-Discovery
Some potential vulnerabilities associated with Port 5357 include:
You can also monitor the network for WSD activity. Use tcpdump or Wireshark to capture multicast traffic on UDP port 3702 and HTTP traffic on TCP port `5357. This can help you identify all devices on the network that are broadcasting their presence and services.