EPP
aka registry
Extensible Provisioning Protocol on 700 — the XML-over-TLS interface registrars use to manage domains at a registry. Rare on engagements, but client-cert/credential access means control over domain registrations.
Ports
| Port | Proto | Notes |
|---|---|---|
700 | tcp | EPP (over TLS) |
Fingerprint
- TLS service on 700 returning an EPP <greeting> XML
- Expects mutual-TLS from registrar clients
Exploitation primitives
- Greeting XML discloses the registry server + supported objects/extensions
- With a registrar client cert + login, create/transfer/delete domains
- Credential/cert theft from a registrar is the real-world path in
Overview
EPP on 700 is how domain registrars talk to a registry. It’s locked behind mutual TLS, so it’s mostly relevant when you’ve already compromised a registrar’s certs/creds.
Enumeration
Pull the EPP greeting:
openssl s_client -connect <TARGET>:700The <greeting> lists the server and supported objects. Authenticated actions (<login>, domain create/transfer) require a valid registrar cert + credentials.
Hardening
Enforce mutual TLS, IP-allowlist registrar clients, and protect registrar credentials/certs.