PRIMARY CATEGORY → PROTOCOLS AND SERVICES
POP → Post Office Protocol
Ports
110 → POP3
Initiates the connection in plain text, i.e. without encryption
Standard port for POP3 connections without encryption
On this port, communication can be encrypted between client and server using the STLS command
995 → POP3S
This port is used exclusively for SSL/TLS encrypted connections from the beginning of the connection
It does not allow plain text connections
POP3 Commands
| Commands | Description |
|---|---|
USER <USERNAME> | User Identification |
PASS <PASSWORD> | Authentication of the User using its password |
STAT | List Number of message and total size |
LIST | List the ID of each message and its size |
RETR <MESSAGE_NUMBER> | Show the specified message |
DELE <MESSAGE_NUMBER> | Mark the specified message for deletion |
CAPA | Request the POP3 Server to display the server capabilities |
RSET | Request the reset of the transmited information |
QUIT | Close the connection with the POP3 Server |
Remote Connection
Port 110
Netcat
nc <TARGET> 110Telnet
telnet <TARGET> 110Port 995
OpenSSL
openssl s_client -connect <TARGET>:995 -quiet 2> /dev/null
> USER username
> PASS passwordCurl
Non-Interactive
By default it runs
LIST
curl --silent --insecure "pop3s://<TARGET>:995" --user '<USER>:<PASSWORD>'Enumeration
Banner Grabbing
Netcat
nc -vn <TARGET> 110Telnet
telnet <TARGET> 110Info
Both
netcatandtelnetonly support plain text connections. Therefore, Banner Grabbing can be performed by these tools only for Port 110
OpenSSL
openssl s_client -connect <TARGET>:995 -quiet 0< /dev/null 2>&0Curl
A line starting with
<means header data received by curl that is usually hidden
curl --silent --insecure --verbose "pop3s://<TARGET>:995" --user '<USER>:<PASSWORD>' |& grep -iP -- '^<'Service Interaction
OpenSSL
Interactive Sesion
openssl s_client -connect <TARGET>:995 2> /dev/null # Connect to POP3 Server
> USER username # Log in as username
> PASS password # Password for the above user
> STAT # List Number of Messages and its total size
> LIST # List the ID of each message and its size
> RETR ID # Show the Specified MessageThe same applies for Port 110 using
netcatortelnet
Curl
List Total Number of Messages
curl --silent --insecure --request "STAT" "pop3s://<TARGET>:995" --user '<USER>:<PASSWORD>'List the ID of all Messages
curl --silent --insecure "pop3s://<TARGET>:995" --user '<USER>:<PASSWORD>'Show the Content of a Specific Message
curl --silent --insecure --request "RETR <MESSAGE_ID>" "pop3s://<TARGET>:995" --user '<USER>:<PASSWORD>'User Enumeration
USER
Port 110
telnet <TARGET> 110
> USER anyRandomUser
-ERR
> USER john
+OKPort 995
openssl s_client -connect <TARGET>:995 -quiet 2> /dev/null
> USER anyRandomUser
-ERR
> USER john
+OKBruteforcing || Password Spraying
Hydra
Important
The format for the users on the list should be as follows →
<USER>@<DOMAIN>.<TLD>
Bruteforcing
- One User ↔ Passwordlist
hydra -v -T <THREADS> -l <USERNAME> -P <PASSWDLIST> <TARGET> pop3- Userlist → Passwordlist
hydra -v -T <THREADS> -L <USERLIST> -P <PASSWORDLIST> <TARGET> pop3Password Spraying
hydra -v -T <THREADS> -L <USERLIST> -p <PASSWORD> <TARGET> pop3