Skip to main content

Port 5357 Hacktricks ((free)) File

: Ensure that Port 5357 is blocked at the network perimeter. It should never be exposed to the public Internet.

Some WSD implementations accept a Set action. Fuzzing the metadata might reveal an action like SetSystemTime or ExecuteCommand (rare but happens in embedded devices).

# Service discovery nmap -p 5357 <target>

: If you are auditing an older, unpatched Windows Server or workstation, the HTTP protocol stack may be vulnerable to a remote code execution or Denial of Service (DoS) flaw via a maliciously crafted Range header.You can test for this vulnerability using curl : port 5357 hacktricks

During a penetration test or a Capture The Flag (CTF) competition, encountering an open port 5357 offers a unique avenue for network enumeration and information gathering. This article breaks down how port 5357 works, how to enumerate it using tools found in the HackTricks methodology, and how to secure it. 1. What is Port 5357 (WS-Discovery)?

A significant memory corruption vulnerability exists where a crafted WS-Discovery message with an overly long MIME-Version string can lead to stack corruption and arbitrary code execution. WSDAPI RCE (CVE-2020-0796/Related):

If you manage to exploit the vulnerable service, you can deploy standard post-exploitation toolkits like for credential dumping, PowerShell Empire for further enumeration, or Cobalt Strike for long-term persistence. : Ensure that Port 5357 is blocked at the network perimeter

Run a targeted Nmap scan to identify the service version and execute default enumeration scripts. nmap -p 5357 -sV -sC Use code with caution. -p 5357 : Specifies the target port. -sV : Detects service and version information. -sC : Runs default Nmap scripts against the port. HTTP Enumeration

Attackers on the local subnet (intranet) can send malicious packets to the service, though it is usually blocked by firewall settings from the public internet. 4. Mitigation and Security Best Practices Disable Network Discovery:

The "HackTricks" approach to this port typically involves information disclosure and enumeration rather than direct, modern exploits. 🛠️ Feature: Service Information Enumeration Fuzzing the metadata might reveal an action like

A critical vulnerability ( MS09-063 ) previously allowed remote code execution through specially crafted WSD messages on ports 5357/5358. While patched in modern systems, it serves as a reminder of the risks of leaving this API exposed.

While modern Windows versions are more secure, port 5357 has historically been associated with:

Enumeration is the first step when targeting port 5357. You must determine the exact service, operating system version, and configuration details. Nmap Scanning