OpenSkillIndex← back to search

Hacktricks-skills ws-discovery-pentesting

Pentest WS-Discovery (Web Services Dynamic Discovery) services on UDP port 3702. Use this skill whenever you need to discover network services via multicast, probe for devices like IP cameras, printers, or other WS-Discovery enabled endpoints, or analyze WS-Discovery traffic. Trigger this skill for any network reconnaissance involving port 3702/UDP, service discovery attacks, or when investigating devices that use SOAP-based discovery protocols.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/network-services-pentesting/3702-udp-pentesting-ws-discovery/SKILL.MD
source content

WS-Discovery Pentesting (Port 3702/UDP)

A skill for discovering and pentesting WS-Discovery (Web Services Dynamic Discovery) services on local networks.

Overview

WS-Discovery is a protocol for discovering services within a local network through multicast. It uses SOAP queries over UDP to the multicast address 239.255.255.250:3702.

Key Concepts

  • Target Services: Endpoints available for discovery (e.g., IP cameras, printers)
  • Clients: Devices actively searching for services
  • Multicast Address: 239.255.255.250:3702
  • Protocol: SOAP over UDP

WS-Discovery Message Types

MessageDirectionPurpose
HelloMulticastService announces presence on network
ProbeMulticastClient searches for services by Type
Probe MatchUnicastService responds to matching Probe
ResolveMulticastClient identifies service by name
Resolve MatchUnicastService confirms identity
ByeMulticastService signals departure

Scanning for WS-Discovery Services

Using wsdd-discover

# Basic scan for all WS-Discovery services
wsdd-discover

# Scan with specific timeout
wsdd-discover -t 5

# Scan with verbose output
wsdd-discover -v

Using nmap

# Nmap script for WS-Discovery
nmap -sU -p 3702 --script wsdd-discover <target>

# Example output:
# PORT     STATE         SERVICE
# 3702/udp open|filtered unknown
# | wsdd-discover:
# |   Devices
# |     Message id: 39a2b7f2-fdbd-690c-c7c9-deadbeefceb3
# |     Address: http://10.0.200.116:50000
# |_    Type: Device wprt:PrintDeviceType

Using Python Script

Run the bundled script for automated probing:

python scripts/ws-discovery-probe.py --target 239.255.255.250 --port 3702

Probing for Specific Device Types

WS-Discovery uses Type identifiers to categorize devices. Common types include:

Common Device Types

TypeDescriptionExample
wsc:Service
Generic WS-Discovery serviceBase type
wsc:Device
Generic deviceBase device type
wprt:PrintDeviceType
Printer devicesNetwork printers
NetworkVideoTransmitter
IP camerasSurveillance cameras
upnp:rootdevice
UPnP root deviceUPnP-enabled devices
wsc:WiFiDevice
WiFi devicesWireless access points

Probe for Specific Type

# Probe for IP cameras
python scripts/ws-discovery-probe.py --type NetworkVideoTransmitter

# Probe for printers
python scripts/ws-discovery-probe.py --type wprt:PrintDeviceType

# Probe for all devices
python scripts/ws-discovery-probe.py --type wsc:Device

Analyzing WS-Discovery Responses

Response Structure

<e:Envelope xmlns:e="http://www.w3.org/2003/05/soap-envelope">
  <e:Header>
    <a:Action xmlns:a="http://www.w3.org/2005/08/addressing">
      http://schemas.xmlsoap.org/ws/2005/04/discovery/ProbeMatches
    </a:Action>
  </e:Header>
  <e:Body>
    <d:ProbeMatches xmlns:d="http://schemas.xmlsoap.org/ws/2005/04/discovery">
      <d:ProbeMatch>
        <d:Types>NetworkVideoTransmitter</d:Types>
        <d:Scp>...</d:Scp>
        <a:Address xmlns:a="http://www.w3.org/2005/08/addressing">
          http://10.0.200.116:50000
        </a:Address>
        <d:XAddrs>...</d:XAddrs>
      </d:ProbeMatch>
    </d:ProbeMatches>
  </e:Body>
</e:Envelope>

Key Fields to Extract

  1. Address: HTTP endpoint for the service
  2. Types: Device/service type identifier
  3. Scp: Service Control Point capabilities
  4. XAddrs: Extended addresses
  5. Message ID: Unique identifier for the response

Attack Vectors

1. Service Enumeration

Discover all WS-Discovery services on the network:

# Enumerate all services
python scripts/ws-discovery-probe.py --enumerate

# Save results to file
python scripts/ws-discovery-probe.py --output ws-discovery-results.json

2. Targeted Probing

Probe for specific device types that may have vulnerabilities:

# Target IP cameras (often have weak authentication)
python scripts/ws-discovery-probe.py --type NetworkVideoTransmitter

# Target printers (may expose management interfaces)
python scripts/ws-discovery-probe.py --type wprt:PrintDeviceType

3. Spoofing Attacks

Send crafted WS-Discovery messages to:

  • Trigger responses from hidden services
  • Test service behavior with malformed messages
  • Enumerate service capabilities

4. Information Disclosure

Extract sensitive information from responses:

  • Device names and models
  • Network topology
  • Service endpoints
  • Configuration details

Security Considerations

Risks

  1. Information Disclosure: WS-Discovery reveals device types, addresses, and capabilities
  2. Network Mapping: Attackers can map the entire network topology
  3. Target Identification: Specific device types may indicate vulnerable services
  4. Service Manipulation: Malformed messages may crash or exploit services

Mitigations

  1. Disable WS-Discovery on devices that don't need it
  2. Network Segmentation: Isolate WS-Discovery traffic to specific VLANs
  3. Firewall Rules: Block multicast traffic at network boundaries
  4. Monitor Traffic: Detect unusual WS-Discovery activity

Testing Checklist

  • Scan for WS-Discovery services on target network
  • Enumerate all discovered devices and their types
  • Probe for specific device types (cameras, printers, etc.)
  • Extract service endpoints and addresses
  • Test for information disclosure in responses
  • Document all findings and potential attack vectors
  • Verify no sensitive information is exposed

References