hacktricks/network-services-pentesting/3702-udp-pentesting-ws-discovery.md
2024-12-12 11:39:29 +01:00

3.7 KiB

3702/UDP - Pentesting WS-Discovery

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}

Basic Information

The Web Services Dynamic Discovery Protocol (WS-Discovery) is identified as a protocol designed for the discovery of services within a local network through multicast. It facilitates the interaction between Target Services and Clients. Target Services are endpoints available for discovery, while Clients are the ones actively searching for these services. Communication is established using SOAP queries over UDP, directed to the multicast address 239.255.255.250 and UDP port 3702.

Upon joining a network, a Target Service announces its presence by broadcasting a multicast Hello. It remains open to receiving multicast Probes from Clients that are on the lookout for services by Type, an identifier unique to the endpoint (e.g., NetworkVideoTransmitter for an IP camera). In response to a matching Probe, a Target Service may send a unicast Probe Match. Similarly, a Target Service could receive a multicast Resolve aimed at identifying a service by name, to which it may reply with a unicast Resolve Match if it is the intended target. In the event of leaving the network, a Target Service attempts to broadcast a multicast Bye, signaling its departure.

Default port: 3702

PORT     STATE         SERVICE
3702/udp open|filtered unknown
| wsdd-discover:
|   Devices
|     Message id: 39a2b7f2-fdbd-690c-c7c9-deadbeefceb3
|     Address: http://10.0.200.116:50000
|_    Type: Device wprt:PrintDeviceType

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}