POP - Port 110/995

Support VeryLazyTech 🎉

Become VeryLazyTech member! 🎁
Follow us on:
- ✖ Twitter @VeryLazyTech.
- 👾 Github @VeryLazyTech.
- 📜 Medium @VeryLazyTech.
Visit our shop for e-books and courses. 📚
Support us and buy me a coffee. ☕

Pentesting POP (Post Office Protocol) services, particularly on ports 110 (POP3) and 995 (POP3S - SSL/TLS secured POP3), is essential to assess email servers' security posture. POP3 is widely used for retrieving emails from a server, and it is crucial to ensure its proper configuration and security to prevent unauthorized access and data leaks.

Default ports: 110, 995(ssl)

PORT    STATE SERVICE
110/tcp open  pop3

Scanning for Open Ports

First, identify whether the POP3 service is open on ports 110 (standard POP3) or 995 (POP3S - secure POP3 over SSL/TLS).

Port Scanning with Nmap:
```
nmap -p 110,995 --open <target_ip>
```
- This scans the target IP for open ports 110 and 995. Confirming these ports are open indicates that POP3 services are likely running.
Service Detection:
```
nmap -sV -p 110,995 <target_ip>
```
- The -sV flag allows Nmap to perform version detection, helping identify the specific version of the POP3 service running. This can give insight into any known vulnerabilities for that version.

Checking for SSL/TLS on Port 995

POP3S on port 995 should be using SSL/TLS encryption. Verify this to understand if secure communication is enforced.

SSL Scan with Nmap:
```
nmap --script ssl-cert,ssl-enum-ciphers -p 995 <target_ip>
```
- This command checks for the SSL certificate and supported encryption ciphers, helping you determine if the SSL/TLS configuration is strong or outdated.
Using OpenSSL to Test SSL/TLS:
```
openssl s_client -connect <target_ip>:995
```
- This command establishes an SSL/TLS connection to the POP3S server, allowing you to view the certificate details and encryption level. If it connects successfully, this confirms that the service is properly encrypted.

Enumerating POP3 Capabilities

Identify the supported capabilities of the POP3 service. This can reveal potential misconfigurations and features that may be exploited.

Using Telnet for Plain Text POP3 (Port 110):
```
telnet <target_ip> 110
```
- By connecting with Telnet, you can manually interact with the POP3 service. Type CAPA after connecting to see a list of supported POP3 capabilities, such as USER, PASS, and AUTH.

Manual Enumeration Commands:

POP commands:
  USER uid           Log in as "uid"
  PASS password      Substitue "password" for your actual password
  STAT               List number of messages, total mailbox size
  LIST               List messages and sizes
  RETR n             Show message n
  DELE n             Mark message n for deletion
  RSET               Undo any changes
  QUIT               Logout (expunges messages if no RSET)
  TOP msg n          Show first n lines of message number msg
  CAPA               Get capabilities

Automated Enumeration Commands:

nmap --script "pop3-capabilities or pop3-ntlm-info" -sV -port <PORT> <IP> #All are default scripts

The pop3-ntlm-info plugin will return some "sensitive" data (Windows versions).

To test for weak credentials, you can attempt to bruteforce the POP3 login using known or guessed credentials. Use this only if authorized, as it can lock accounts and trigger alerts.

Hydra for POP3 Bruteforce:
```
hydra -l <username> -P <password_list> pop3://<target_ip> -s 110
```
- The command above attempts login on POP3 with port 110 using a specified username and password list.
POP3S Bruteforce (over SSL on port 995):
```
hydra -l <username> -P <password_list> pop3s://<target_ip> -s 995
```
- This command tries to authenticate over POP3S. It’s important to test for both plain and secure POP3 services if they are both available.

Testing for POP3 Vulnerabilities

Look for specific vulnerabilities associated with the POP3 server version, especially if outdated. Some common tools and methods include:

SearchSploit:
```
searchsploit <POP3_version>
```
- SearchSploit checks for known vulnerabilities associated with the detected POP3 version. This can help identify possible exploits to use.
Metasploit: Metasploit has a module for testing common POP3 vulnerabilities:
```
msfconsole
use auxiliary/scanner/pop3/pop3_version
set RHOSTS <target_ip>
run
```
- This Metasploit module scans for the POP3 service version and some known vulnerabilities.
Banner Grabbing (for version identification):
```
nc -nv <target_ip> 110
openssl s_client -connect <IP>:995 -crlf -quiet
```
- Netcat connects to the POP3 service, where the initial response might include the server banner, revealing the software and version.

Sniffing POP3 Traffic (If Using Plain Text)

If the target is using unencrypted POP3 on port 110, you may be able to capture and read email credentials and messages in transit.

Wireshark:
- Capture Filter: tcp port 110
- By setting this filter, Wireshark will capture only traffic over port 110, allowing you to inspect any unencrypted POP3 login attempts or email retrievals.
tcpdump:
```
tcpdump -i <interface> tcp port 110 -w pop3_traffic.pcap
```
- This command captures POP3 traffic on port 110 and saves it to a .pcap file for later analysis. Inspect this file in Wireshark to view credentials and message contents if they are transmitted in clear text.

Exploiting POP3 Misconfigurations

Some POP3 servers may have misconfigurations, such as weak authentication mechanisms or default credentials. Test for these with caution.

Default Credential Testing:
- Common default POP3 credentials include admin:admin, root:root, user:password, etc. If accessible, document it as a critical vulnerability.
Testing for Open Relay (unlikely but possible):
- While primarily an SMTP issue, some misconfigured POP3 services may allow unintended access to other email services or mail relaying, typically revealing poor configuration practices.

Post-Exploitation with POP3 Access

If you successfully authenticate, retrieve emails to assess their content for sensitive information.

Retrieving Emails with Telnet:
```
USER <username>
PASS <password>
STAT
RETR <message_number>
```
- After authentication, the STAT command shows the number of messages and total storage size. Use RETR followed by a message number to retrieve specific emails.

Using Python for Automated Email Retrieval:

import poplib

server = poplib.POP3('<target_ip>', 110)
server.user('<username>')
server.pass_('<password>')
messages = server.list()[1]
for message in messages:
    print("\n".join(server.retr(message.decode('utf-8'))[1]))
server.quit()

This script connects to the POP3 server, logs in, and retrieves each message, which can be analyzed for sensitive information.

Dangerous Settings

Setting

Description

auth_debug

Enables all authentication debug logging.

auth_debug_passwords

This setting adjusts log verbosity, the submitted passwords, and the scheme gets logged.

auth_verbose

Logs unsuccessful authentication attempts and their reasons.

auth_verbose_passwords

Passwords used for authentication are logged and can also be truncated.

auth_anonymous_username

This specifies the username to be used when logging in with the ANONYMOUS SASL mechanism.

Learn & practice For the OSCP.

Support VeryLazyTech 🎉

Become VeryLazyTech member! 🎁
Follow us on Twitter @VeryLazyTech, Github @VeryLazyTech, and Medium @VeryLazyTech.
Visit our shop for e-books and courses. 📚
Support us and buy me a coffee. ☕

PreviousKerberos - Port 88 NextPortmapper - Port 111/TCP/UDP

Last updated 7 months ago

Was this helpful?