Port 5357 Hacktricks full -

Port 5357 HackTricks: Exploiting WSDAPI and the Web Services for Devices

HackTricks often notes that port 5357 may be:

If the WSD endpoint belongs to a print device, the host might be vulnerable to the PrintNightmare chain: port 5357 hacktricks

Use MS-RPRN to coerce authentication from the print spooler to an attacker’s machine.
WSD on port 5357 can be the relay target for NTLM captured from a domain controller.

Older Windows versions (7, Server 2008 R2, early 2016) had a RCE via crafted ProbeMatches message. Exploit code exists on Exploit-DB. Port 5357 HackTricks: Exploiting WSDAPI and the Web

Information disclosure: Device metadata, service lists, and configuration details can be exposed.
Unauthenticated actions: Some devices or implementations may accept commands without strong authentication, enabling configuration changes or remote actions (print jobs, firmware triggers).
Service enumeration: Attackers can enumerate devices on a network and map topology for follow-on attacks.
Pivoting/lateral movement: Compromised or exposed devices can be leveraged to reach internal services.
Fingerprinting for vulnerabilities: Exposed WSD endpoints help attackers identify devices with known CVEs.

# Using wsd-client tools (if installed)
wsdd – discover

Disable Network Discovery on all workstations and servers not requiring it.
Block outbound port 5357 on firewalls (it’s rarely needed outside LAN).
Monitor Event ID 5156 (Windows Filtering Platform) for connections to port 5357.

Use PowerShell to check WSD status:

Get-Service WSDService
Stop-Service WSDService -Force
Set-Service WSDService -StartupType Disabled

wsddebug.js or wsdump (from impacket)