POP3 (Port 110, 995) Enumerate and interact with POP3 (Post Office Protocol) mail servers to retrieve emails and discover credentials.
Banner Grabbing Netcat Telnet OpenSSL (POP3S - Port 995) openssl s_client -connect 10.10.10.10:995
POP3 Commands Authentication USER username PASS password
Mailbox Operations STAT LIST LIST 1 RETR 1 DELE 1 CAPA RSET QUIT
Enumeration Nmap Scripts nmap -p110,995 --script pop3-capabilities,pop3-ntlm-info 10.10.10.10 nmap -p110,995 --script pop3-brute 10.10.10.10
Manual Enumeration nc -nv 10.10.10.10 110 CAPA USER test PASS test STAT LIST RETR 1 QUIT
Brute Force Hydra hydra -l user -P /usr/share/wordlists/rockyou.txt pop3://10.10.10.10 hydra -l user -P /usr/share/wordlists/rockyou.txt pop3s://10.10.10.10
Nmap nmap -p110 --script pop3-brute --script-args userdb=users.txt,passdb=passwords.txt 10.10.10.10
cURL Access Download Emails curl -k 'pop3://10.10.10.10' --user user:password curl -k 'pop3://10.10.10.10/1' --user user:password curl -k 'pop3s://10.10.10.10' --user user:password
Notes Dangerous Settings:
auth_debug - Enables all authentication debug loggingauth_debug_passwords - Logs submitted passwords and authentication schemesauth_verbose - Logs unsuccessful authentication attempts with reasonsauth_verbose_passwords - Passwords used for authentication are loggedauth_anonymous_username - Username for ANONYMOUS SASL mechanism
Security Considerations:
POP3 transmits credentials in cleartext on port 110
Always use POP3S (port 995) when possible for encrypted communication
Check for default credentials and weak passwords
POP3 typically downloads and deletes emails from server (unlike IMAP)
Common Misconfigurations:
Anonymous access enabled
Weak or default credentials
Verbose logging exposing credentials
Unencrypted connections allowed
Email Retrieval:
POP3 downloads emails to local client and typically deletes from server
IMAP keeps emails on server and syncs across devices
POP3 is simpler but less flexible than IMAP