EPP - Port 700

Basic info

Extensible Provisioning Protocol (EPP) is the backbone of domain name management for registrars and registries across the globe. Used for provisioning domain names, contacts, and name servers, EPP’s XML-based communication over TCP makes it a high-value target for attackers. Its sensitivity, paired with misconfigurations or improper implementation, can expose an organization to domain hijacking, unauthorized domain management, and registrar abuse.

This article dives deep into the architecture of EPP, common attack surfaces, advanced exploitation techniques, and countermeasures.

Understanding the EPP Protocol Architecture

EPP operates over TCP (usually port 700) and employs XML commands to handle domain transactions. The protocol uses a request-response model where the client (typically a registrar) sends commands to the server (registry operator).

EPP commands include:

• login, logout

• check, info, create, update, delete, renew, transfer

EPP servers are frequently deployed behind authentication layers, yet many implementations leave tell-tale signs through banners, misconfigured TLS, or weak access controls

Common Vulnerabilities in EPP Implementations

Credential Leakage

Developers often embed EPP credentials in:

• Version-controlled config files (e.g., epp-config.xml)

• Jenkins pipeline artifacts

• Docker container layers

# GitHub Dork
epp password OR epp-config filetype:xml site:github.com

Unauthenticated EPP Responses

Some misconfigured EPP servers respond with greeting XMLs before authentication, revealing internal information like:

• Server version

• Supported extensions (e.g., fee, launch, rgp)

• Registrar IDs

Nmap Script:

nmap -p 700 --script epp-info <target>

Exploitation Techniques: From Enumeration to Execution

Enumerating Domains

Using the check command with wildcards or automation can confirm domain availability without rate limiting.

Example:

<epp>
  <command>
    <check>
      <domain:check xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
        <domain:name>targetdomain.com</domain:name>
      </domain:check>
    </check>
  </command>
</epp>

If unauthenticated, this becomes a goldmine.

Abusing Registrar Access

Once credentials are obtained, the attacker can:

• Transfer domain ownership using transfer command

• Modify nameservers with update

• Hijack entire domain portfolios

Attackers often create automation loops that target multiple domains via authenticated sessions.

Session Hijacking via Proxy Weaknesses

Registrars using shared reverse proxies or load balancers may incorrectly manage session states. Crafting replay requests with stolen session tokens allows lateral movement between authenticated tenants.