# EPP - Port 700 {% tabs %} {% tab title="Support VeryLazyTech 🎉" %} * Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁** * **Follow** us on: * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.** * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.** * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.** * Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. 📚 {% endtab %} {% endtabs %} ## Basic info Extensible Provisioning Protocol (EPP) is the backbone of domain name management for registrars and registries across the globe. Used for provisioning domain names, contacts, and name servers, EPP’s XML-based communication over TCP makes it a high-value target for attackers. Its sensitivity, paired with misconfigurations or improper implementation, can expose an organization to domain hijacking, unauthorized domain management, and registrar abuse. This article dives deep into the architecture of EPP, common attack surfaces, advanced exploitation techniques, and countermeasures. ### Understanding the EPP Protocol Architecture EPP operates over TCP (usually port 700) and employs XML commands to handle domain transactions. The protocol uses a request-response model where the client (typically a registrar) sends commands to the server (registry operator). **EPP commands include:** * `login`, `logout` * `check`, `info`, `create`, `update`, `delete`, `renew`, `transfer` EPP servers are frequently deployed behind authentication layers, yet many implementations leave tell-tale signs through banners, misconfigured TLS, or weak access controls *** ## Common Vulnerabilities in EPP Implementations ### **Credential Leakage** Developers often embed EPP credentials in: * Version-controlled config files (e.g., `epp-config.xml`) * Jenkins pipeline artifacts * Docker container layers ```bash # GitHub Dork epp password OR epp-config filetype:xml site:github.com ``` #### **Unauthenticated EPP Responses** Some misconfigured EPP servers respond with `greeting` XMLs **before authentication**, revealing internal information like: * Server version * Supported extensions (e.g., `fee`, `launch`, `rgp`) * Registrar IDs **Nmap Script:** ```bash nmap -p 700 --script epp-info ``` *** ### Exploitation Techniques: From Enumeration to Execution #### **Enumerating Domains** Using the `check` command with wildcards or automation can confirm domain availability without rate limiting. Example: ```xml targetdomain.com ``` **If unauthenticated, this becomes a goldmine.** #### **Abusing Registrar Access** Once credentials are obtained, the attacker can: * Transfer domain ownership using `transfer` command * Modify nameservers with `update` * Hijack entire domain portfolios Attackers often create automation loops that target multiple domains via authenticated sessions. #### **Session Hijacking via Proxy Weaknesses** Registrars using shared reverse proxies or load balancers may incorrectly manage session states. Crafting replay requests with stolen session tokens allows lateral movement between authenticated tenants. *** {% hint style="success" %} Learn & practice [**For the Bug Bounty**](https://shop.verylazytech.com)
Support VeryLazyTech 🎉 * Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁** * **Follow** us on: * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.** * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.** * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.** * Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. 📚
{% endhint %}