POP3
Post Office Protocol version 3 is a protocol that opens the box, checks if there are (new) emails, and if any, downloads and removes them from the box.
ποΈ Port: 110 (TCP)
π₯ POP3 communications are not encrypted.
π There is a secure version called POP3S (port 995, over SSL/TLS).
It's possible to configure POP3 so that emails aren't removed, but due to how it works, mails will remain marked as "new", and the client will lose track of whether a mail was read or not.
$ telnet IP 110
USER xxx
PASS xxx
STAT # find if there mails
LIST # list new messages
RETR 1 # retrieve the first message
$ curl -k 'pop3s://IP' --user username:password
$ curl -k 'pop3s://IP' [...] -X 'RETR 1'
$ openssl s_client -connect IP:pop3s
Pentester Notes β οΈ
Foothold
- You may try to use brute force:
$ msfconsole -q
msf6> use auxiliary/scanner/pop3/pop3_login
msf6> set USER_FILE /path/to/users.lst
msf6> set PASS_FILE /path/to/pass.lst
msf6> setg RHOSTS IP
msf6> run
- You can try to use
USER
:
$ telnet IP 110
USER xxx
-ERR
USER yyy
+OK
APOP
The APOP is an authentication method that can be implemented by a POP3 Server. Instead of sending the cleartext password:
- The server will send a challenge text (
salt
) to the client - The client will return the hash of
md5(challenge + password)
- The server will compute the hash
md5(challenge + saved_password)
and compare it with the hash it received
This authentication method is still vulnerable to sniffing.
A hacker having both the challenge and the hash can try to brute force the password. With hashcat
:
$ cat hash
hash:salt
$ hashcat -m 20 hash wordlist
With John, it's sightly complex:
$ cat apop2john.py
import argparse
parser = argparse.ArgumentParser(description="Convert APOP hash:salt to John The Ripper Dynamic MD5 Hash")
parser.add_argument("hash", type=str, help="Hash string")
parser.add_argument("salt", type=str, help="Salt string")
args = parser.parse_args()
print(f':$dynamic_1017${args.hash}$HEX${args.salt.encode().hex()}')
$ python apop2john.py "hash" "salt" > hash
$ john hash --wordlist=wordlist
π» To-do π»
Stuff that I found, but never read/used yet.
- dovecot-pop3d
-
sudo nmap IP -p110,995 -sV -sC