# POP - Port 110/995
Support VeryLazyTech πŸŽ‰ * Become VeryLazyTech [**member**](https://buymeacoffee.com/verylazytech/membership)**! 🎁** * **Follow** us on: * **βœ– Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **πŸ‘Ύ Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **πŸ“œ Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * Visit our [**shop** ](https://buymeacoffee.com/verylazytech/extras)for e-books and courses. πŸ“š * Support us and [**buy me a coffee**](https://buymeacoffee.com/verylazytech)**. β˜•**
Pentesting POP (Post Office Protocol) services, particularly on ports **110** (POP3) and **995** (POP3S - SSL/TLS secured POP3), is essential to assess email servers' security posture. POP3 is widely used for retrieving emails from a server, and it is crucial to ensure its proper configuration and security to prevent unauthorized access and data leaks. **Default ports:** 110, 995(ssl) ``` PORT STATE SERVICE 110/tcp open pop3 ``` *** ## Scanning for Open Ports First, identify whether the POP3 service is open on ports 110 (standard POP3) or 995 (POP3S - secure POP3 over SSL/TLS). 1. **Port Scanning with Nmap**: ```bash nmap -p 110,995 --open ``` * This scans the target IP for open ports 110 and 995. Confirming these ports are open indicates that POP3 services are likely running. 2. **Service Detection**: ```bash nmap -sV -p 110,995 ``` * The `-sV` flag allows Nmap to perform version detection, helping identify the specific version of the POP3 service running. This can give insight into any known vulnerabilities for that version. ## Checking for SSL/TLS on Port 995 POP3S on port 995 should be using SSL/TLS encryption. Verify this to understand if secure communication is enforced. 1. **SSL Scan with Nmap**: ```bash nmap --script ssl-cert,ssl-enum-ciphers -p 995 ``` * This command checks for the SSL certificate and supported encryption ciphers, helping you determine if the SSL/TLS configuration is strong or outdated. 2. **Using OpenSSL to Test SSL/TLS**: ```bash openssl s_client -connect :995 ``` * This command establishes an SSL/TLS connection to the POP3S server, allowing you to view the certificate details and encryption level. If it connects successfully, this confirms that the service is properly encrypted. ## Enumerating POP3 Capabilities Identify the supported capabilities of the POP3 service. This can reveal potential misconfigurations and features that may be exploited. 1. **Using Telnet for Plain Text POP3** (Port 110): ```bash telnet 110 ``` * By connecting with Telnet, you can manually interact with the POP3 service. Type `CAPA` after connecting to see a list of supported POP3 capabilities, such as `USER`, `PASS`, and `AUTH`. 2. **Manual Enumeration Commands**: ``` POP commands: USER uid Log in as "uid" PASS password Substitue "password" for your actual password STAT List number of messages, total mailbox size LIST List messages and sizes RETR n Show message n DELE n Mark message n for deletion RSET Undo any changes QUIT Logout (expunges messages if no RSET) TOP msg n Show first n lines of message number msg CAPA Get capabilities ``` 3. **Automated Enumeration Commands:** ``` nmap --script "pop3-capabilities or pop3-ntlm-info" -sV -port #All are default scripts ``` * The `pop3-ntlm-info` plugin will return some "**sensitive**" data (Windows versions). ## Attempting Login Bruteforce (if authorized) To test for weak credentials, you can attempt to bruteforce the POP3 login using known or guessed credentials. **Use this only if authorized, as it can lock accounts and trigger alerts**. 1. **Hydra for POP3 Bruteforce**: ```bash hydra -l -P pop3:// -s 110 ``` * The command above attempts login on POP3 with port 110 using a specified username and password list. 2. **POP3S Bruteforce** (over SSL on port 995): ```bash hydra -l -P pop3s:// -s 995 ``` * This command tries to authenticate over POP3S. It’s important to test for both plain and secure POP3 services if they are both available. ## Testing for POP3 Vulnerabilities Look for specific vulnerabilities associated with the POP3 server version, especially if outdated. Some common tools and methods include: 1. **SearchSploit**: ```bash searchsploit ``` * SearchSploit checks for known vulnerabilities associated with the detected POP3 version. This can help identify possible exploits to use. 2. **Metasploit**: Metasploit has a module for testing common POP3 vulnerabilities: ```bash msfconsole use auxiliary/scanner/pop3/pop3_version set RHOSTS run ``` * This Metasploit module scans for the POP3 service version and some known vulnerabilities. 3. **Banner Grabbing** (for version identification): ```bash nc -nv 110 openssl s_client -connect :995 -crlf -quiet ``` * Netcat connects to the POP3 service, where the initial response might include the server banner, revealing the software and version. #### Sniffing POP3 Traffic (If Using Plain Text) If the target is using unencrypted POP3 on port 110, you may be able to capture and read email credentials and messages in transit. 1. **Wireshark**: * **Capture Filter**: `tcp port 110` * By setting this filter, Wireshark will capture only traffic over port 110, allowing you to inspect any unencrypted POP3 login attempts or email retrievals. 2. **tcpdump**: ```bash tcpdump -i tcp port 110 -w pop3_traffic.pcap ``` * This command captures POP3 traffic on port 110 and saves it to a `.pcap` file for later analysis. Inspect this file in Wireshark to view credentials and message contents if they are transmitted in clear text. #### Exploiting POP3 Misconfigurations Some POP3 servers may have misconfigurations, such as weak authentication mechanisms or default credentials. Test for these with caution. 1. **Default Credential Testing**: * Common default POP3 credentials include `admin:admin`, `root:root`, `user:password`, etc. If accessible, document it as a critical vulnerability. 2. **Testing for Open Relay (unlikely but possible)**: * While primarily an SMTP issue, some misconfigured POP3 services may allow unintended access to other email services or mail relaying, typically revealing poor configuration practices. #### Post-Exploitation with POP3 Access If you successfully authenticate, retrieve emails to assess their content for sensitive information. 1. **Retrieving Emails with Telnet**: ```plaintext USER PASS STAT RETR ``` * After authentication, the `STAT` command shows the number of messages and total storage size. Use `RETR` followed by a message number to retrieve specific emails. 2. **Using Python for Automated Email Retrieval**: ```python import poplib server = poplib.POP3('', 110) server.user('') server.pass_('') messages = server.list()[1] for message in messages: print("\n".join(server.retr(message.decode('utf-8'))[1])) server.quit() ``` * This script connects to the POP3 server, logs in, and retrieves each message, which can be analyzed for sensitive information. *** ### Dangerous Settings | **Setting** | **Description** | | ------------------------- | ----------------------------------------------------------------------------------------- | | `auth_debug` | Enables all authentication debug logging. | | `auth_debug_passwords` | This setting adjusts log verbosity, the submitted passwords, and the scheme gets logged. | | `auth_verbose` | Logs unsuccessful authentication attempts and their reasons. | | `auth_verbose_passwords` | Passwords used for authentication are logged and can also be truncated. | | `auth_anonymous_username` | This specifies the username to be used when logging in with the ANONYMOUS SASL mechanism. | {% hint style="success" %} Learn & practice [**For the OSCP.**](https://buymeacoffee.com/verylazytech/e/271180)
Support VeryLazyTech πŸŽ‰ * Become VeryLazyTech [**member**](https://buymeacoffee.com/verylazytech/membership)**! 🎁** * **Follow** us on **Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**,** **Github** [**@VeryLazyTech**](https://github.com/verylazytech)**, and Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * Visit our [**shop** ](https://buymeacoffee.com/verylazytech/extras)for e-books and courses. πŸ“š * Support us and [**buy me a coffee**](https://buymeacoffee.com/verylazytech)**. β˜•**
{% endhint %}