POP3 - Post Office Protocol
This section will cover ways to enumerate Post Office Protocol (POP3).
Table of Contents
- Overview
- Default Configuration
- Dangerous Settings
- Enumerating POP3
- Nmap
- cURL
- OpenSSL
Overview
Post Office Protocol (POP3) unlike IMAP, only allows listing, retrieving, and deleting emails as functions at the email server. This makes protocols such as IMAP a "must use" for additional functionalities such as hierarchical mailboxes directly at the mail server, access to multiple mailboxes during a session, and preselection of emails.
Similar to IMAP, POP3 is unencrypted. POP3 uses TCP port 110 with TCP port 995 used for SSL/TLS connections.
Default Configuration
POP3 has a large number of configurations. The below table will list some POP3 commands and their description.
| Command | Description |
|---|---|
| USER username | Identify the user. |
| PASS password | Authenticate the user with its password. |
| STAT | Requests the number of saved emails on the server. |
| LIST | Requests for the number and size of all emails. |
| RETR id | Requests the server to deliver the requested email by ID. |
| DELE id | Requests the server to delete the requested email by ID. |
| CAPA | Requests the server to display the server capabilities. |
| RSET | Requests the server to reset the transmitted information. |
| QUIT | Closes the connection with the server. |
Dangerous Settings
There are many configuration options, where if improperly configured, it can allow an attacker to obtain more information.
The below table will list some settings and their description that can be dangerous.
| Setting | Description |
|---|---|
| auth_debug | Enables all authentication debug logging. |
| auth_debug_passwords | Adjusts log verbosity, the submitted passwords and the scheme gets logged. |
| auth_verbose | Logs unsuccessful authentication attempts and their reason. |
| auth_verbose_passwords | Passwords used for authentication are logged and can also be truncated. |
| auth_anonymous_username | Specifies the username to be used when logging in with the ANONYMOUS SASL mechanism. |
Enumerating POP3
By default, POP3 uses TCP port 110 and 995 with port 995 used for SSL/TLS to encrypt communications between the client and server. There are many tools we can use to enumerate POP3.
Some tools are:
- Nmap
- cURL
- OpenSSL
Nmap
We can use the default scripts (-sC) and version scan (-sV) to enumerate for information.
nmap -sV -sC -p 110,995 10.42.0.1
Command breakdown:
-sV- Specify to scan the version.-sC- Specify to use the default Nmap scripts.-p 110,995- Specify to scan port 143 and 993.10.42.0.1- Specify the target IP address to scan.
cURL
We can use the following curl command to list mailboxes.
curl -k 'pop3s://10.42.0.1' --user user:MyPassword
Command breakdown:
-k- Allow connection to SSL servers without a certificate.'pop3s://10.42.0.1'- Specify to connect to the specified target using POP3 over a secure connection.--user user:MyPassword- Specifies the username and password to use for authentication.
We can also use the verbose (-v) option to see how the connection is established. Some information that it can provide is the version of TLS being used, further details of the SSL certificate, and the banner of the service.
curl -k 'pop3s://10.42.0.1' --user user:MyPassword -v
OpenSSL
To interact with IMAP over SSL, we can use openssl and netcat.
openssl s_client -connect 10.42.0.1:pop3s
Command breakdown:
s_client- Specify to use SSL/TLS.-connect 10.42.0.1:pop3s- Specify the server IP address to connect to using POP3.