# WS-Discovery - Port 3702/UDP

{% tabs %}
{% tab title="Support VeryLazyTech 🎉" %}

* Become VeryLazyTech [**member**](https://shop.verylazytech.com/product-category/membership/)**! 🎁**
* **Follow** us on:
  * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
  * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
  * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
  * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
  * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
  * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses.  📚
  {% endtab %}
  {% endtabs %}

### **Basic info**

**WS-Discovery** (Web Services Dynamic Discovery) is a UDP-based multicast discovery protocol used primarily in local networks for service advertisement and discovery.\
It is commonly implemented in:

* Network printers
* IP cameras
* Media servers
* IoT devices
* Windows services

WS-Discovery uses SOAP messages over UDP to allow clients to locate services automatically without manual configuration.

When exposed to the internet or misconfigured, WS-Discovery can:

* Leak internal network information.
* Allow attackers to enumerate available devices and services.
* Be abused for **DDoS amplification attacks**.

***

### **Key Details**

* **Default Port:** `3702/udp`
* **Protocol:** WS-Discovery (SOAP over UDP)
* **Risk:** Device enumeration, sensitive information leakage, DDoS amplification.

***

### **Port Discovery**

Check if the port is open/responding:

```bash
nmap -sU -p 3702 <target>
PORT     STATE SERVICE
3702/udp open  ws-discovery
```

***

### **Enumeration**

#### **1. Nmap Script Scan**

```bash
nmap -sU -p 3702 --script broadcast-ws-discovery
```

This will send WS-Discovery probe requests and list discovered devices on the network.

***

#### **2. Manual WS-Discovery Probe**

You can send a crafted SOAP `Probe` request using `netcat` or `socat`:

```bash
echo -n \
'<?xml version="1.0" encoding="UTF-8"?>
<e:Envelope xmlns:e="http://www.w3.org/2003/05/soap-envelope" xmlns:w="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:d="http://schemas.xmlsoap.org/ws/2005/04/discovery">
  <e:Header>
    <w:MessageID>uuid:$(uuidgen)</w:MessageID>
    <w:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</w:To>
    <w:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Probe</w:Action>
  </e:Header>
  <e:Body>
    <d:Probe>
      <d:Types>dn:NetworkVideoTransmitter</d:Types>
    </d:Probe>
  </e:Body>
</e:Envelope>' \
| socat - UDP-DATAGRAM:<target_ip>:3702
```

If successful, the device will respond with details about its services and network location.

***

{% hint style="success" %}
Learn & practice [**For the Bug Bounty**](https://shop.verylazytech.com)

<details>

<summary>Support VeryLazyTech 🎉</summary>

* Become VeryLazyTech [**member**](https://shop.verylazytech.com/product-category/membership/)**! 🎁**
* **Follow** us on:
  * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
  * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
  * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
  * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
  * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
  * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses.  📚

</details>
{% endhint %}