logo

Port 427 – SLP (Service Location Protocol)

Service:

slp

Protocol:

TCP/UDP

Port:

427

Used for:

Service discovery in local networks

Why It’s Open

Port 427 is used by the Service Location Protocol (SLP), which provides automatic discovery of network services in IP networks. SLP allows devices and applications to automatically find and access services without requiring prior knowledge of their location. It’s commonly used in enterprise environments for printer discovery, file sharing, and other network services.

Common Risks

  • Service enumeration and reconnaissance
    Attackers can discover internal network services and topology
  • Information disclosure
    SLP responses may reveal sensitive service details and network architecture
  • Denial of service attacks
    Malformed SLP requests can crash or overwhelm services
  • Service spoofing
    Attackers may advertise malicious services to redirect traffic
  • Network topology mapping
    SLP can be used to map internal network infrastructure
  • Amplification attacks
    SLP queries can be used for reflection-based DDoS attacks
  • Unauthorized service registration
    Weak authentication may allow rogue service advertisements

Want to save time on reporting?

Let PentestPad generate, track, and export your reports - automatically.

logo-cta

Enumeration & Testing

Basic Service Detection

Terminal window
nmap -sV -p 427 target_ip

SLP Service Discovery

Terminal window
slptool findsrvs service:http

Security Testing

Terminal window
python3 -c "import socket; s=socket.socket(socket.AF_INET, socket.SOCK_DGRAM); s.sendto(b'\x02\x01\x00\xff'*100, ('target_ip', 427))"

What to Look For

CheckpointWhat it means
Service discoveryCheck what services are advertised via SLP
AuthenticationVerify if SLP requires authentication for registration
Network exposureCheck if SLP is exposed to untrusted networks
Service validationVerify advertised services are legitimate

Mitigation

  • Disable if unnecessary
    Remove SLP services if not required
  • Network segmentation
    Restrict SLP to trusted network segments
  • Authentication enforcement
    Enable authentication for service registration
  • Rate limiting
    Implement request rate limiting to prevent abuse
  • Monitor traffic
    Log and monitor SLP activity for anomalies
  • Firewall rules
    Block SLP traffic from untrusted sources
  • Service validation
    Regularly audit advertised services

TL;DR

  • Port 427 = Service Location Protocol (SLP) service
  • Protocol: TCP/UDP
  • Used for: Service discovery in local networks
  • Security focus: Service discovery security and network exposure

Known CVEs and Exploits

  • CVE-2019-5544- Exploitable for DDoS attacks
  • CVE-2023-29552 - Remote code execution vulnerability
  • Service Discovery Abuse - SLP can be used for network reconnaissance and service enumeration
  • Reflection Attacks - SLP responses can be leveraged for amplification-based DDoS attacks