POP - Port 110/995

Pentesting POP (Post Office Protocol) services, particularly on ports 110 (POP3) and 995 (POP3S - SSL/TLS secured POP3), is essential to assess email servers' security posture. POP3 is widely used for retrieving emails from a server, and it is crucial to ensure its proper configuration and security to prevent unauthorized access and data leaks.

Default ports: 110, 995(ssl)

PORT    STATE SERVICE
110/tcp open  pop3

Scanning for Open Ports

First, identify whether the POP3 service is open on ports 110 (standard POP3) or 995 (POP3S - secure POP3 over SSL/TLS).

1. Port Scanning with Nmap:

   Copy

   nmap -p 110,995 --open <target_ip>

   • This scans the target IP for open ports 110 and 995. Confirming these ports are open indicates that POP3 services are likely running.

2. Service Detection:

   Copy

   nmap -sV -p 110,995 <target_ip>

   • The -sV flag allows Nmap to perform version detection, helping identify the specific version of the POP3 service running. This can give insight into any known vulnerabilities for that version.

Checking for SSL/TLS on Port 995

POP3S on port 995 should be using SSL/TLS encryption. Verify this to understand if secure communication is enforced.

1. SSL Scan with Nmap:

   Copy

   nmap --script ssl-cert,ssl-enum-ciphers -p 995 <target_ip>

   • This command checks for the SSL certificate and supported encryption ciphers, helping you determine if the SSL/TLS configuration is strong or outdated.

2. Using OpenSSL to Test SSL/TLS:

   Copy

   openssl s_client -connect <target_ip>:995

   • This command establishes an SSL/TLS connection to the POP3S server, allowing you to view the certificate details and encryption level. If it connects successfully, this confirms that the service is properly encrypted.

Enumerating POP3 Capabilities

Identify the supported capabilities of the POP3 service. This can reveal potential misconfigurations and features that may be exploited.

1. Using Telnet for Plain Text POP3 (Port 110):

   Copy

   telnet <target_ip> 110

   • By connecting with Telnet, you can manually interact with the POP3 service. Type CAPA after connecting to see a list of supported POP3 capabilities, such as USER, PASS, and AUTH.

2. Manual Enumeration Commands:

   Copy

   POP commands:
     USER uid           Log in as "uid"
     PASS password      Substitue "password" for your actual password
     STAT               List number of messages, total mailbox size
     LIST               List messages and sizes
     RETR n             Show message n
     DELE n             Mark message n for deletion
     RSET               Undo any changes
     QUIT               Logout (expunges messages if no RSET)
     TOP msg n          Show first n lines of message number msg
     CAPA               Get capabilities

3. Automated Enumeration Commands:

nmap --script "pop3-capabilities or pop3-ntlm-info" -sV -port <PORT> <IP> #All are default scripts

• The pop3-ntlm-info plugin will return some "sensitive" data (Windows versions).

Attempting Login Bruteforce (if authorized)

To test for weak credentials, you can attempt to bruteforce the POP3 login using known or guessed credentials. Use this only if authorized, as it can lock accounts and trigger alerts.

1. Hydra for POP3 Bruteforce:

   Copy

   hydra -l <username> -P <password_list> pop3://<target_ip> -s 110

   • The command above attempts login on POP3 with port 110 using a specified username and password list.

2. POP3S Bruteforce (over SSL on port 995):

   Copy

   hydra -l <username> -P <password_list> pop3s://<target_ip> -s 995

   • This command tries to authenticate over POP3S. It’s important to test for both plain and secure POP3 services if they are both available.

Testing for POP3 Vulnerabilities

Look for specific vulnerabilities associated with the POP3 server version, especially if outdated. Some common tools and methods include:

1. SearchSploit:

   Copy

   searchsploit <POP3_version>

   • SearchSploit checks for known vulnerabilities associated with the detected POP3 version. This can help identify possible exploits to use.

2. Metasploit: Metasploit has a module for testing common POP3 vulnerabilities:

   Copy

   msfconsole
   use auxiliary/scanner/pop3/pop3_version
   set RHOSTS <target_ip>
   run

   • This Metasploit module scans for the POP3 service version and some known vulnerabilities.

3. Banner Grabbing (for version identification):

   Copy

   nc -nv <target_ip> 110
   openssl s_client -connect <IP>:995 -crlf -quiet

   • Netcat connects to the POP3 service, where the initial response might include the server banner, revealing the software and version.

Sniffing POP3 Traffic (If Using Plain Text)

If the target is using unencrypted POP3 on port 110, you may be able to capture and read email credentials and messages in transit.

1. Wireshark:

   • Capture Filter: tcp port 110

   • By setting this filter, Wireshark will capture only traffic over port 110, allowing you to inspect any unencrypted POP3 login attempts or email retrievals.

2. tcpdump:

   Copy

   tcpdump -i <interface> tcp port 110 -w pop3_traffic.pcap

   • This command captures POP3 traffic on port 110 and saves it to a .pcap file for later analysis. Inspect this file in Wireshark to view credentials and message contents if they are transmitted in clear text.

Exploiting POP3 Misconfigurations

Some POP3 servers may have misconfigurations, such as weak authentication mechanisms or default credentials. Test for these with caution.

1. Default Credential Testing:

   • Common default POP3 credentials include admin:admin, root:root, user:password, etc. If accessible, document it as a critical vulnerability.

2. Testing for Open Relay (unlikely but possible):

   • While primarily an SMTP issue, some misconfigured POP3 services may allow unintended access to other email services or mail relaying, typically revealing poor configuration practices.

Post-Exploitation with POP3 Access

If you successfully authenticate, retrieve emails to assess their content for sensitive information.

1. Retrieving Emails with Telnet:

   Copy

   USER <username>
   PASS <password>
   STAT
   RETR <message_number>

   • After authentication, the STAT command shows the number of messages and total storage size. Use RETR followed by a message number to retrieve specific emails.

2. Using Python for Automated Email Retrieval:

   Copy

   import poplib
   
   server = poplib.POP3('<target_ip>', 110)
   server.user('<username>')
   server.pass_('<password>')
   messages = server.list()[1]
   for message in messages:
       print("\n".join(server.retr(message.decode('utf-8'))[1]))
   server.quit()

   • This script connects to the POP3 server, logs in, and retrieves each message, which can be analyzed for sensitive information.

Dangerous Settings