Port 5357: WSDAPI Enumeration and Penetration Testing (TCP) is primarily used by the Web Services for Devices API (WSDAPI) , Microsoft's implementation of the WS-Discovery protocol. It allows Windows systems to automatically discover and communicate with network-connected devices like printers, scanners, and file shares over HTTP. In a penetration testing context, this port is often a target for fingerprinting Windows environments or exploiting legacy memory corruption vulnerabilities. Service Overview
Threat landscape — practical concerns, not just CVEs
Domain Controllers rarely need WSD active. If port 5357 is open, the host is likely a workstation, a print server, or a file storage server.
nmap -p 5357 -sV -sC <target-ip>
If you navigate to http:// :5357/ via a web browser or curl, you will typically receive a or a 400 Bad Request error. This is normal because the endpoint expects specific XML SOAP structures rather than standard browser requests. To see if the server responds, look at the HTTP headers: curl -I http:// :5357/ Use code with caution. Expected Response:
Port is used by the Web Services for Devices API (WSDAPI) , a Microsoft implementation of the WS-Discovery protocol . It allows Windows systems to automatically discover and communicate with network devices like printers, scanners, and cameras over HTTP. Service Summary Service Name: wsdapi Common Banner: Microsoft-HTTPAPI/2.0 Protocol: HTTP over TCP (Port 5357) or HTTPS (Port 5358).
Port 5357 is commonly utilized by Microsoft Windows for the Web Services on Devices (WSD) API. This service allows devices like printers, scanners, and file shares to be discovered and managed automatically over a local network. While highly convenient for enterprise and home networking, exposing this port can provide attackers with valuable reconnaissance data and potential vectors for lateral movement. port 5357 hacktricks
When a Windows machine has "Network Discovery" enabled, the operating system uses multicast over 3702/UDP to announce its presence or search for nearby peripherals. Once a handshake or local announcement completes, standard device control and event notification channel traffic transitions to a reliable TCP stream over Port 5357 (HTTP) or Port 5358 (HTTPS) .
Port 5357 – WSDAPI (Web Services for Devices) - PentestPad
: It provides an HTTP-based discovery mechanism. When accessed via a browser, it may return a "404 Not Found" or a simple status message if the service is active but not configured to serve a root page. Enumeration & Pentesting Approach Port 5357: WSDAPI Enumeration and Penetration Testing (TCP)
When auditing a network via an Nmap scan, port 5357 typically presents with specific structural signatures: nmap -p 5357 -sV -sC Use code with caution. Expected Scan Output
WSDAPI (Web Services for Devices) / HTTP Commonly found on: Windows (Windows 7, 8, 10, Server editions) Protocol: HTTP (often REST-like SOAP/XML services)
HTTP/1.1 404 Not Found Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Wed, 03 Jun 2026 12:00:00 GMT Connection: close Content-Length: 315 Use code with caution. This is normal because the endpoint expects specific
netsh advfirewall firewall add rule name="Block Port 5357" dir=in action=block protocol=TCP localport=5357 Use code with caution. Disabling Network Discovery