Skip to content

Port 5357 Hacktricks -

Furthermore, the existence of this service suggests a broader security misconfiguration: the reliance on legacy discovery protocols. Port 5357 often works in tandem with UDP port 5355 (LLMNR) and UDP port 5353 (mDNS). The presence of port 5357 signals to an attacker that the network may be reliant on legacy broadcasting mechanisms. This opens the door to more complex attacks, such as LLMNR/NBT-NS poisoning (via tools like Responder). If a system is broadcasting its existence on port 5357, it is highly likely listening for name resolution requests on associated ports, allowing an attacker to intercept traffic and potentially capture password hashes by spoofing legitimate server responses.

(by Carlos Polop) is a well‑known pentesting and CTF resource, but as far as I’m aware, there is no dedicated “port 5357 HackTricks paper” in the official HackTricks repository. There might be: port 5357 hacktricks

Port 5357 is not inherently malicious, but its presence provides several opportunities for an attacker to gain information about the network. A. Information Disclosure (Network Mapping) WSD can disclose sensitive device information, including: Furthermore, the existence of this service suggests a

Port is used by the Web Services for Devices API (WSDAPI) , a Microsoft implementation of the WS-Discovery protocol . It allows Windows systems to automatically discover and communicate with network devices like printers, scanners, and cameras over HTTP. Service Summary Service Name: wsdapi Common Banner: Microsoft-HTTPAPI/2.0 Protocol: HTTP over TCP (Port 5357) or HTTPS (Port 5358). This opens the door to more complex attacks,

Why port 5357 matters

Port 5357 serves as a perfect example of why a thorough penetration test goes beyond merely checking for the "big-name" vulnerabilities. While the service it hosts—WSDAPI—provides legitimate and valuable "plug-and-play" functionality, it also represents a real and often overlooked attack vector. The service's history of memory corruption flaws and the ongoing risks from misconfigurations mean that for a security professional, 5357 is a port that always merits a closer look during any network assessment.

Attackers can abuse these services to force unauthenticated NTLM authentication, which can then be relayed to other services.