POP3 Pentesting Skill

A comprehensive guide for testing Post Office Protocol (POP3) mail servers during security assessments.

Quick Reference

Enumeration

Banner Grabbing

Start by connecting to the POP3 service to identify the server software and version:

Unencrypted (port 110):

nc -nv <target-ip> 110

Encrypted (port 995):

openssl s_client -connect <target-ip>:995 -crlf -quiet

Using the bundled script:

./scripts/banner_grab.sh <target-ip> [port]

Nmap Scanning

Run Nmap with POP3-specific scripts to enumerate capabilities and detect NTLM authentication:

nmap --script "pop3-capabilities or pop3-ntlm-info" -sV -p 110,995 <target-ip>

Using the bundled script:

./scripts/nmap_pop3_scan.sh <target-ip>

The

pop3-ntlm-info

Metasploit Enumeration

Quick version enumeration without launching the full console:

msfconsole -q -x 'use auxiliary/scanner/pop3/pop3_version; set RHOSTS <target-ip>; set RPORT 110; run; exit'

Manual POP3 Commands

Connect via telnet or netcat and use these commands:

USER <username>

PASS <password>

STAT

LIST

RETR <n>

DELE <n>

RSET

QUIT

TOP <msg> <n>

CAPA

Example Session

telnet <target-ip> 110
+OK beta POP3 server (JAMES POP3 Server 2.3.2) ready

USER billydean
+OK

PASS password
+OK Welcome billydean

LIST
+OK 2 1807
1 786
2 1021

RETR 1
+OK Message follows
From: jamesbrown@motown.com
Dear Billy Dean,

Here is your login for remote desktop ... try not to forget it this time!
username: billydean
password: PA$$W0RD!

Brute Force Attacks

Using Hydra

When you have a username and password list:

hydra -l <username> -P <password-list> -f <target-ip> pop3 -V

Parameters:

• -l

  : Single username

• -P

  : Password list file

• -f

  : Stop on first success

• -V

  : Verbose output

Using Metasploit

msfconsole
use auxiliary/scanner/pop3/pop3_login
set RHOSTS <target-ip>
set RPORT 110
set USER_FILE /path/to/users.txt
set PASS_FILE /path/to/passwords.txt
run

Common Vulnerabilities

Password Logging Misconfigurations

Some POP3 servers log passwords in cleartext when debug settings are enabled:

• auth_debug

  - Increases log verbosity

• auth_debug_passwords

  - Logs passwords in cleartext

• auth_verbose_passwords

  - Verbose password logging

Check server logs if you gain access to the mail server filesystem:

grep -i "password" /var/log/mail.log
grep -i "auth" /var/log/mail.log

Weak Credentials

POP3 servers often have:

• Default credentials
• Weak passwords
• Reused credentials from other services

Information Disclosure

Email messages may contain:

• Credentials for other systems
• Sensitive business information
• Internal network details

Workflow

1. Reconnaissance: Identify POP3 services on target
2. Banner Grabbing: Determine server software and version
3. Capability Enumeration: Use CAPA command and Nmap scripts
4. Credential Testing: Attempt known credentials or brute force
5. Message Analysis: Review retrieved emails for sensitive data
6. Log Analysis: Check for password logging misconfigurations

Safety Notes

• Always obtain proper authorization before testing
• POP3 credentials may grant access to sensitive email data
• Some brute force attempts may trigger account lockouts
• Document all findings for the security assessment report

Bundled Scripts

See the

scripts/

• banner_grab.sh

  - Automated banner grabbing

• nmap_pop3_scan.sh

  - Nmap scanning wrapper

• pop3_enum.sh

  - Comprehensive enumeration helper