POP3

protocolsandservers networksecurityprotocols footprinting

Post Office Protocol version 3 is a protocol that opens the box, checks if there are (new) emails, and if any, downloads and removes them from the box.

🐊️ Port: 110 (TCP)

πŸ”₯ POP3 communications are not encrypted.

πŸ”’ There is a secure version called POP3S (port 995, over SSL/TLS).

It's possible to configure POP3 so that emails aren't removed, but due to how it works, mails will remain marked as "new", and the client will lose track of whether a mail was read or not.

$ telnet IP 110
USER xxx
PASS xxx
STAT # find if there mails
LIST # list new messages
RETR 1 # retrieve the first message
$ curl -k 'pop3s://IP' --user username:password
$ curl -k 'pop3s://IP' [...] -X 'RETR 1'
$ openssl s_client -connect IP:pop3s

Pentester Notes ☠️

Foothold

attacking_common_services

$ msfconsole -q
msf6> use auxiliary/scanner/pop3/pop3_login
msf6> set USER_FILE /path/to/users.lst
msf6> set PASS_FILE /path/to/pass.lst
msf6> setg RHOSTS IP
msf6> run
  • You can try to use USER:
$ telnet IP 110
USER xxx
-ERR
USER yyy
+OK

APOP

pop_apop

The APOP is an authentication method that can be implemented by a POP3 Server. Instead of sending the cleartext password:

  • The server will send a challenge text (salt) to the client
  • The client will return the hash of md5(challenge + password)
  • The server will compute the hash md5(challenge + saved_password) and compare it with the hash it received

This authentication method is still vulnerable to sniffing.

A hacker having both the challenge and the hash can try to brute force the password. With hashcat:

$ cat hash
hash:salt
$ hashcat -m 20 hash wordlist

With John, it's sightly complex:

$ cat apop2john.py
import argparse

parser = argparse.ArgumentParser(description="Convert APOP hash:salt to John The Ripper Dynamic MD5 Hash")
parser.add_argument("hash", type=str, help="Hash string")
parser.add_argument("salt", type=str, help="Salt string")
args = parser.parse_args()
print(f':$dynamic_1017${args.hash}$HEX${args.salt.encode().hex()}')
$ python apop2john.py "hash" "salt" > hash
$ john hash --wordlist=wordlist

πŸ‘» To-do πŸ‘»

Stuff that I found, but never read/used yet.

  • dovecot-pop3d
  • sudo nmap IP -p110,995 -sV -sC