pentesting-pop3

$npx mdskill add xalgord/xalgorix/pentesting-pop3

- Default ports: `110/tcp` (cleartext POP3) and `995/tcp` (POP3 over TLS / POP3S). - When `nmap`/banner shows `pop3`, a `+OK ... POP3 server` greeting, or Dovecot/JAMES/Exchange POP3. - For credential testing and post-auth mailbox retrieval (downloaded mail commonly holds reusable secrets).

SKILL.md

.github/skills/pentesting-pop3View on GitHub ↗
---
name: pentesting-pop3
description: Testing POP3 services (default ports 110 cleartext, 995 POP3S) for weak/default credentials and brute force, NTLM info disclosure, cleartext credential exposure, capability enumeration, and authenticated mailbox retrieval/data extraction via raw POP3 commands during authorized engagements.
domain: cybersecurity
subdomain: network-services-pentesting
tags:
- penetration-testing
- network-services
- pop3
version: '1.0'
author: xalgorix
license: Apache-2.0
---

# Pentesting POP3 (ports 110, 995)

## When to Use
- Default ports: `110/tcp` (cleartext POP3) and `995/tcp` (POP3 over TLS / POP3S).
- When `nmap`/banner shows `pop3`, a `+OK ... POP3 server` greeting, or Dovecot/JAMES/Exchange POP3.
- For credential testing and post-auth mailbox retrieval (downloaded mail commonly holds reusable secrets).

## Quick Enumeration
```bash
# Cleartext banner
nc -nv <IP> 110

# POP3S banner
openssl s_client -connect <IP>:995 -crlf -quiet

# Capabilities + NTLM info (default scripts)
nmap --script "pop3-capabilities or pop3-ntlm-info" -sV -p 110,995 <IP>

# Shodan-style discovery marker
#   port:110
```

## Critical: Checks Most Often Missed
- **Cleartext credentials on 110** — `USER`/`PASS` over port 110 (no STLS) is sniffable.
  - How to CONFIRM: capture with `tcpdump -i eth0 -A 'tcp port 110'` and observe `USER`/`PASS`; check `CAPA` for `STLS` and `SASL` support.
- **NTLM info disclosure** — `AUTH NTLM` leaks Windows/domain build info on Exchange.
  - How to CONFIRM: `nmap -p110 --script pop3-ntlm-info <IP>`.
- **Weak/default credentials** — guessable or reused mailbox passwords; brute-forceable.
  - How to CONFIRM: `hydra -l <user> -P passwords.txt -f <IP> pop3 -V` returns a valid login.
- **Authenticated mailbox data exposure** — `RETR` downloads full message bodies that frequently contain plaintext credentials, RDP/SSH logins, and internal hostnames.
  - How to CONFIRM: log in, `LIST`, then `RETR 1` and read the body.
- **Verbose auth logging** — Dovecot with `auth_debug_passwords`/`auth_verbose_passwords = true` writes passwords to logs in cleartext (note for post-exploitation log review).

## Workflow

### Step 1: Enumerate (capabilities, version, NTLM)
```bash
nc -nv <IP> 110
openssl s_client -connect <IP>:995 -crlf -quiet
nmap --script "pop3-capabilities or pop3-ntlm-info" -sV -p 110,995 <IP>
# Manual capability listing once connected:
CAPA
msfconsole -q -x 'use auxiliary/scanner/pop3/pop3_version; set RHOSTS <IP>; set RPORT 110; run; exit'
```

### Step 2: Authenticate (default creds, brute force)
```bash
# Brute force
hydra -l <Username> -P passwords.txt -f <IP> pop3 -V
hydra -l <Username> -P passwords.txt -f pop3s://<IP>
nxc pop3 <IP> -u users.txt -p passwords.txt

# Manual login (cleartext)
nc -nv <IP> 110
USER billydean
PASS password
```

### Step 3: Exploit / Extract (retrieve mailbox)
```bash
# Raw POP3 command flow after login
STAT          # number of messages + total mailbox size
LIST          # message numbers and sizes
RETR 1        # download (show) message 1 — read for credentials/secrets
TOP 1 10      # first 10 lines of message 1 (peek without full download)
DELE 1        # mark for deletion (avoid in engagements unless authorized)
RSET          # undo deletions
QUIT          # logout (expunges if no RSET)
```

Example session:
```
+OK beta POP3 server (JAMES POP3 Server 2.3.2) ready
USER billydean
+OK
PASS password
+OK Welcome billydean
LIST
+OK 2 1807
RETR 1
+OK Message follows
... username: billydean  password: PA$$W0RD!Z ...
```

### Step 4: Post-access / pivot
- Grep retrieved messages for credentials, password-reset links, and internal hostnames/IPs.
- Reuse harvested credentials against IMAP/SMTP/OWA/SSH/VPN; map topology from headers.
- During post-exploitation, review Dovecot logs if `auth_*_passwords` were enabled — plaintext passwords may be present.

## Key Concepts
| Concept | Description |
|---------|-------------|
| **POP3 model** | Connect, download all messages locally, then (typically) delete them from the server. |
| **CAPA** | Lists server capabilities (`STLS`, `SASL`, `UIDL`, `TOP`, `USER`). |
| **Cleartext exposure** | `USER`/`PASS` on 110 without STLS sends credentials in plaintext. |
| **NTLM disclosure** | `AUTH NTLM` on Exchange leaks NetBIOS/DNS/OS build. |
| **RETR/TOP extraction** | Authenticated commands pull message bodies that often contain secrets. |
| **Verbose log leak** | `auth_debug_passwords`/`auth_verbose_passwords` can log cleartext passwords. |

## Tools & Systems
| Tool | Purpose |
|------|---------|
| **nmap NSE** | `pop3-capabilities`, `pop3-ntlm-info`. |
| **nc / openssl s_client** | Banner grab, manual cleartext/TLS POP3 sessions. |
| **hydra / netexec (nxc)** | Credential brute force / spraying. |
| **Metasploit** | `scanner/pop3/pop3_version`. |
| **tcpdump / Wireshark** | Capture cleartext credentials on port 110. |

## Common Scenarios
### Scenario 1: Cleartext POP3 credential capture
Port 110 lacks STLS. A MitM + `tcpdump 'tcp port 110'` captures `USER`/`PASS` in plaintext, reused on the mail web portal.

### Scenario 2: Brute force → credential reuse
`hydra <IP> pop3` finds `billydean:PA$$W0RD!Z`. `RETR 1` reveals an email containing RDP credentials, enabling lateral movement to a workstation.

### Scenario 3: Exchange NTLM disclosure
`nmap -p110 --script pop3-ntlm-info` returns NetBIOS name, domain, and OS build, supporting AD reconnaissance.

## Output Format
```
## POP3 Finding

**Service**: POP3
**Port**: 110/tcp (Dovecot, STLS not enforced)
**Severity**: High
**Finding**: Cleartext authentication + weak credentials with sensitive mailbox content
**Evidence**:
  - CAPA showed no STLS enforcement; tcpdump captured "PASS PA$$W0RD!Z"
  - RETR 1 returned an email containing RDP credentials
**Impact**: Credentials are exposed on the wire and downloaded mail discloses additional secrets enabling lateral movement.
**Recommendation**:
  1. Enforce TLS (require STLS or POP3S only; disable plaintext auth on 110).
  2. Enforce strong, unique mailbox passwords and rate-limit auth.
  3. Disable `auth_debug_passwords`/`auth_verbose_passwords`; advise users not to store credentials in email.
```

More from xalgord/xalgorix

SkillDescription
abusing-hop-by-hop-headersTesting proxies, load balancers, and CDNs for improper handling of HTTP hop-by-hop headers, where an
analyzing-macos-persistence-and-autostartEnumerating, planting, and hunting macOS persistence and auto-start (ASEP) locations during authorized
api-discoveryAPI endpoint discovery including OpenAPI/Swagger detection, hidden versioning, REST/GraphQL enumeration, and content negotiation
bypassing-binary-exploitation-mitigationsMethodology for identifying and defeating common binary hardening mitigations during authorized exploitation —
bypassing-captcha-protectionsIdentifying weaknesses in CAPTCHA implementations and bypassing them via replay, field removal,
bypassing-macos-gatekeeper-tcc-and-sipAssessing and bypassing macOS userland and platform security controls during authorized engagements -
bypassing-restricted-shellsEscaping restricted shells (rbash, rksh, lshell), chroot jails, and language sandboxes (Lua, Python)
bypassing-two-factor-and-otpIdentifying and exploiting flaws in two-factor authentication and one-time password verification
deepExhaustive security assessment with maximum coverage, depth, and vulnerability chaining
exploiting-ai-model-file-rceTesting machine-learning model files and model-loading services for remote code execution caused by insecure