POP - Port 110/995
Pentesting POP (Post Office Protocol) services, particularly on ports 110 (POP3) and 995 (POP3S - SSL/TLS secured POP3), is essential to assess email servers' security posture. POP3 is widely used for retrieving emails from a server, and it is crucial to ensure its proper configuration and security to prevent unauthorized access and data leaks.
Default ports: 110, 995(ssl)
PORT STATE SERVICE
110/tcp open pop3
Scanning for Open Ports
First, identify whether the POP3 service is open on ports 110 (standard POP3) or 995 (POP3S - secure POP3 over SSL/TLS).
Port Scanning with Nmap:
nmap -p 110,995 --open <target_ip>
This scans the target IP for open ports 110 and 995. Confirming these ports are open indicates that POP3 services are likely running.
Service Detection:
nmap -sV -p 110,995 <target_ip>
The
-sV
flag allows Nmap to perform version detection, helping identify the specific version of the POP3 service running. This can give insight into any known vulnerabilities for that version.
Checking for SSL/TLS on Port 995
POP3S on port 995 should be using SSL/TLS encryption. Verify this to understand if secure communication is enforced.
SSL Scan with Nmap:
nmap --script ssl-cert,ssl-enum-ciphers -p 995 <target_ip>
This command checks for the SSL certificate and supported encryption ciphers, helping you determine if the SSL/TLS configuration is strong or outdated.
Using OpenSSL to Test SSL/TLS:
openssl s_client -connect <target_ip>:995
This command establishes an SSL/TLS connection to the POP3S server, allowing you to view the certificate details and encryption level. If it connects successfully, this confirms that the service is properly encrypted.
Enumerating POP3 Capabilities
Identify the supported capabilities of the POP3 service. This can reveal potential misconfigurations and features that may be exploited.
Using Telnet for Plain Text POP3 (Port 110):
telnet <target_ip> 110
By connecting with Telnet, you can manually interact with the POP3 service. Type
CAPA
after connecting to see a list of supported POP3 capabilities, such asUSER
,PASS
, andAUTH
.
Manual Enumeration Commands:
POP commands: USER uid Log in as "uid" PASS password Substitue "password" for your actual password STAT List number of messages, total mailbox size LIST List messages and sizes RETR n Show message n DELE n Mark message n for deletion RSET Undo any changes QUIT Logout (expunges messages if no RSET) TOP msg n Show first n lines of message number msg CAPA Get capabilities
Automated Enumeration Commands:
nmap --script "pop3-capabilities or pop3-ntlm-info" -sV -port <PORT> <IP> #All are default scripts
The
pop3-ntlm-info
plugin will return some "sensitive" data (Windows versions).
Attempting Login Bruteforce (if authorized)
To test for weak credentials, you can attempt to bruteforce the POP3 login using known or guessed credentials. Use this only if authorized, as it can lock accounts and trigger alerts.
Hydra for POP3 Bruteforce:
hydra -l <username> -P <password_list> pop3://<target_ip> -s 110
The command above attempts login on POP3 with port 110 using a specified username and password list.
POP3S Bruteforce (over SSL on port 995):
hydra -l <username> -P <password_list> pop3s://<target_ip> -s 995
This command tries to authenticate over POP3S. Itβs important to test for both plain and secure POP3 services if they are both available.
Testing for POP3 Vulnerabilities
Look for specific vulnerabilities associated with the POP3 server version, especially if outdated. Some common tools and methods include:
SearchSploit:
searchsploit <POP3_version>
SearchSploit checks for known vulnerabilities associated with the detected POP3 version. This can help identify possible exploits to use.
Metasploit: Metasploit has a module for testing common POP3 vulnerabilities:
msfconsole use auxiliary/scanner/pop3/pop3_version set RHOSTS <target_ip> run
This Metasploit module scans for the POP3 service version and some known vulnerabilities.
Banner Grabbing (for version identification):
nc -nv <target_ip> 110 openssl s_client -connect <IP>:995 -crlf -quiet
Netcat connects to the POP3 service, where the initial response might include the server banner, revealing the software and version.
Sniffing POP3 Traffic (If Using Plain Text)
If the target is using unencrypted POP3 on port 110, you may be able to capture and read email credentials and messages in transit.
Wireshark:
Capture Filter:
tcp port 110
By setting this filter, Wireshark will capture only traffic over port 110, allowing you to inspect any unencrypted POP3 login attempts or email retrievals.
tcpdump:
tcpdump -i <interface> tcp port 110 -w pop3_traffic.pcap
This command captures POP3 traffic on port 110 and saves it to a
.pcap
file for later analysis. Inspect this file in Wireshark to view credentials and message contents if they are transmitted in clear text.
Exploiting POP3 Misconfigurations
Some POP3 servers may have misconfigurations, such as weak authentication mechanisms or default credentials. Test for these with caution.
Default Credential Testing:
Common default POP3 credentials include
admin:admin
,root:root
,user:password
, etc. If accessible, document it as a critical vulnerability.
Testing for Open Relay (unlikely but possible):
While primarily an SMTP issue, some misconfigured POP3 services may allow unintended access to other email services or mail relaying, typically revealing poor configuration practices.
Post-Exploitation with POP3 Access
If you successfully authenticate, retrieve emails to assess their content for sensitive information.
Retrieving Emails with Telnet:
USER <username> PASS <password> STAT RETR <message_number>
After authentication, the
STAT
command shows the number of messages and total storage size. UseRETR
followed by a message number to retrieve specific emails.
Using Python for Automated Email Retrieval:
import poplib server = poplib.POP3('<target_ip>', 110) server.user('<username>') server.pass_('<password>') messages = server.list()[1] for message in messages: print("\n".join(server.retr(message.decode('utf-8'))[1])) server.quit()
This script connects to the POP3 server, logs in, and retrieves each message, which can be analyzed for sensitive information.
Dangerous Settings
Setting
Description
auth_debug
Enables all authentication debug logging.
auth_debug_passwords
This setting adjusts log verbosity, the submitted passwords, and the scheme gets logged.
auth_verbose
Logs unsuccessful authentication attempts and their reasons.
auth_verbose_passwords
Passwords used for authentication are logged and can also be truncated.
auth_anonymous_username
This specifies the username to be used when logging in with the ANONYMOUS SASL mechanism.
Learn & practice For the OSCP.
Last updated
Was this helpful?