POP3 (Post Office Protocol 3)

Default Port: 110, 995

Post Office Protocol 3 (POP3) is a standard protocol for receiving emails. POP3 is a client/server protocol in which email is received and held for you by your Internet server. As this protocol is frequently enabled and poorly configured, it can become a great target.

Connect

Manual Connection

You can use netcat to manually connect to a service:

nc <target-ip> 110

Connect Using OpenSSL

You can use OpenSSL to test a secure POP3 connection:

openssl s_client -connect <ip>:995

Recon

Banner Grabbing

nc <target-ip> 110

Using Nmap to Get Information

nmap -p 110 --script pop3-capabilities <ip>

Enumeration

Enumerating a POP3 service can sometimes lead to disclosed sensitive information or poorly configured systems.

nmap -p 110 --script pop3-ntlm-info <ip>

Attack Vectors

Bruteforce Attack

You can perform a POP3 bruteforce attack using Nmap

nmap -p 110 --script pop3-brute --script-args userdb=users.txt,passdb=pass.txt <ip>

Or you also can perform a POP3 bruteforce attack using Hydra

hydra -L <user list file> -P <password list file> -f <ip> pop3 -V

Post-Exploitation

Extract Emails

Once logged into a POP3 account, use the RETR command to read emails. This could provide a wealth of information, including sensitive data.

RETR 1

Delete Emails

You can use the DELE command to delete a specific email:

DELE 1

Check for Credentials

You may find username/password combinations in emails, giving them additional account access.

Look for Sensitive Data

Users often send sensitive data via email. This data can be personal, financial, or a corporate secret.