logo

Port 5357 – WSDAPI (Web Services for Devices)

Service:

http

Protocol:

TCP

Port:

5357

Used for:

Port 5357 (TCP) is used by Microsoft WSDAPI to discover and communicate with devices like printers and scanners over HTTP in local networks.

Why It’s Open

Port 5357 is used by the Web Services for Devices API (WSDAPI), a Microsoft implementation of WS-Discovery, which allows devices on a local network to advertise and discover services such as printers, scanners, and file shares. It’s primarily used in Windows environments, where it facilitates the automatic discovery of devices without needing a central server or manual configuration.

When enabled, WSD uses HTTP over port 5357 (and multicast over 3702/UDP) to allow applications to communicate with services such as WSD-enabled printers or network scanners. It is typically open on Windows clients, printers, and IoT devices, particularly in unmanaged or small networks.

Common Risks

  • Information Disclosure
    WSD can leak service details such as printer names, hostnames, network paths, and device metadata useful for fingerprinting.
  • Unauthorized Access to Printer or Scanner Interfaces
    In some cases, poorly secured WSD services expose printer admin pages or allow users to submit or intercept print jobs.
  • Surface for Lateral Movement
    Attackers can use WSD traffic to identify internal devices, including workstations, printers, and shared resources.
  • Misconfiguration or Exposure
    WSD is meant for local subnet use, but in some cases, it may be accessible from broader internal or even external networks due to misconfigured firewalls or network segmentation.

Want to save time on reporting?

Let PentestPad generate, track, and export your reports - automatically.

logo-cta

Enumeration & Testing

Check if it’s open

Terminal window
nmap -sT -p 5357

Detect service banner:

Terminal window
curl http://:5357/

Monitor multicast service discovery:

Capture WSD-related messages using Wireshark or similar tools:

Terminal window
tcp.port == 5357

What to Look For

CheckpointWhat it means
Port 5357 open externallyWSD is reachable beyond intended scope (should be LAN-only)
Reveals printer/device infoUseful for internal recon or targeting
Accessible print interfaceMay allow unauthorized submission or manipulation of jobs
No authentication configuredAnyone can discover or interact with the device

Mitigation

  • Restrict Access to Port 5357
    Ensure WSD is only accessible on local subnets and block access from untrusted or external networks.
  • Disable WSD Where Not Needed
    On Windows clients: Control Panel > Devices and Printers > Printer Properties > Ports > Uncheck WSD port
    or disable WSD service via Group Policy or Services.msc.
  • Segment Printers and IoT Devices
    Place them on dedicated VLANs or subnets, isolated from critical systems.
  • Use Traditional IP Printing Protocols
    Replace WSD with more manageable protocols like IPP or LPD, which allow better control and authentication.
  • Monitor WSD Activity
    Watch for unexpected traffic on port 5357 or excessive service discovery broadcasts.

Known CVEs and Exploits

  • CVE-2019-10149 – While not directly tied to 5357, exposed printing interfaces via WSD have been part of broader exploit chains.
  • CVE-2022-30798 – WSD-related vulnerability in some IoT devices exposing service details.
  • Microsoft WSD Advisory – Microsoft documentation on securing WSD ports.