WS-Discovery - Port 3702/UDP

Basic info

WS-Discovery (Web Services Dynamic Discovery) is a UDP-based multicast discovery protocol used primarily in local networks for service advertisement and discovery. It is commonly implemented in:

• Network printers

• IP cameras

• Media servers

• IoT devices

• Windows services

WS-Discovery uses SOAP messages over UDP to allow clients to locate services automatically without manual configuration.

When exposed to the internet or misconfigured, WS-Discovery can:

• Leak internal network information.

• Allow attackers to enumerate available devices and services.

• Be abused for DDoS amplification attacks.

Key Details

• Default Port: 3702/udp

• Protocol: WS-Discovery (SOAP over UDP)

• Risk: Device enumeration, sensitive information leakage, DDoS amplification.

Port Discovery

Check if the port is open/responding:

nmap -sU -p 3702 <target>
PORT     STATE SERVICE
3702/udp open  ws-discovery

Enumeration

1. Nmap Script Scan

nmap -sU -p 3702 --script broadcast-ws-discovery

This will send WS-Discovery probe requests and list discovered devices on the network.

2. Manual WS-Discovery Probe

You can send a crafted SOAP Probe request using netcat or socat:

echo -n \
'<?xml version="1.0" encoding="UTF-8"?>
<e:Envelope xmlns:e="http://www.w3.org/2003/05/soap-envelope" xmlns:w="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:d="http://schemas.xmlsoap.org/ws/2005/04/discovery">
  <e:Header>
    <w:MessageID>uuid:$(uuidgen)</w:MessageID>
    <w:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</w:To>
    <w:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Probe</w:Action>
  </e:Header>
  <e:Body>
    <d:Probe>
      <d:Types>dn:NetworkVideoTransmitter</d:Types>
    </d:Probe>
  </e:Body>
</e:Envelope>' \
| socat - UDP-DATAGRAM:<target_ip>:3702

If successful, the device will respond with details about its services and network location.