POP - Port 110/995
Last updated
Was this helpful?
Last updated
Was this helpful?
Pentesting POP (Post Office Protocol) services, particularly on ports 110 (POP3) and 995 (POP3S - SSL/TLS secured POP3), is essential to assess email servers' security posture. POP3 is widely used for retrieving emails from a server, and it is crucial to ensure its proper configuration and security to prevent unauthorized access and data leaks.
Default ports: 110, 995(ssl)
First, identify whether the POP3 service is open on ports 110 (standard POP3) or 995 (POP3S - secure POP3 over SSL/TLS).
Port Scanning with Nmap:
This scans the target IP for open ports 110 and 995. Confirming these ports are open indicates that POP3 services are likely running.
Service Detection:
The -sV flag allows Nmap to perform version detection, helping identify the specific version of the POP3 service running. This can give insight into any known vulnerabilities for that version.
POP3S on port 995 should be using SSL/TLS encryption. Verify this to understand if secure communication is enforced.
SSL Scan with Nmap:
This command checks for the SSL certificate and supported encryption ciphers, helping you determine if the SSL/TLS configuration is strong or outdated.
Using OpenSSL to Test SSL/TLS:
This command establishes an SSL/TLS connection to the POP3S server, allowing you to view the certificate details and encryption level. If it connects successfully, this confirms that the service is properly encrypted.
Identify the supported capabilities of the POP3 service. This can reveal potential misconfigurations and features that may be exploited.
Using Telnet for Plain Text POP3 (Port 110):
By connecting with Telnet, you can manually interact with the POP3 service. Type CAPA after connecting to see a list of supported POP3 capabilities, such as USER, PASS, and AUTH.
Manual Enumeration Commands:
Automated Enumeration Commands:
The pop3-ntlm-info plugin will return some "sensitive" data (Windows versions).
To test for weak credentials, you can attempt to bruteforce the POP3 login using known or guessed credentials. Use this only if authorized, as it can lock accounts and trigger alerts.
Hydra for POP3 Bruteforce:
The command above attempts login on POP3 with port 110 using a specified username and password list.
POP3S Bruteforce (over SSL on port 995):
This command tries to authenticate over POP3S. Itβs important to test for both plain and secure POP3 services if they are both available.
Look for specific vulnerabilities associated with the POP3 server version, especially if outdated. Some common tools and methods include:
SearchSploit:
SearchSploit checks for known vulnerabilities associated with the detected POP3 version. This can help identify possible exploits to use.
Metasploit: Metasploit has a module for testing common POP3 vulnerabilities:
This Metasploit module scans for the POP3 service version and some known vulnerabilities.
Banner Grabbing (for version identification):
Netcat connects to the POP3 service, where the initial response might include the server banner, revealing the software and version.
If the target is using unencrypted POP3 on port 110, you may be able to capture and read email credentials and messages in transit.
Wireshark:
Capture Filter: tcp port 110
By setting this filter, Wireshark will capture only traffic over port 110, allowing you to inspect any unencrypted POP3 login attempts or email retrievals.
tcpdump:
This command captures POP3 traffic on port 110 and saves it to a .pcap file for later analysis. Inspect this file in Wireshark to view credentials and message contents if they are transmitted in clear text.
Some POP3 servers may have misconfigurations, such as weak authentication mechanisms or default credentials. Test for these with caution.
Default Credential Testing:
Common default POP3 credentials include admin:admin, root:root, user:password, etc. If accessible, document it as a critical vulnerability.
Testing for Open Relay (unlikely but possible):
While primarily an SMTP issue, some misconfigured POP3 services may allow unintended access to other email services or mail relaying, typically revealing poor configuration practices.
If you successfully authenticate, retrieve emails to assess their content for sensitive information.
Retrieving Emails with Telnet:
After authentication, the STAT command shows the number of messages and total storage size. Use RETR followed by a message number to retrieve specific emails.
Using Python for Automated Email Retrieval:
This script connects to the POP3 server, logs in, and retrieves each message, which can be analyzed for sensitive information.
Setting
Description
auth_debug
Enables all authentication debug logging.
auth_debug_passwords
This setting adjusts log verbosity, the submitted passwords, and the scheme gets logged.
auth_verbose
Logs unsuccessful authentication attempts and their reasons.
auth_verbose_passwords
Passwords used for authentication are logged and can also be truncated.
auth_anonymous_username
This specifies the username to be used when logging in with the ANONYMOUS SASL mechanism.
Learn & practice
Become VeryLazyTech ! π
Follow us on Twitter , Github , and Medium .
Visit our for e-books and courses. π
Support us and . β