Port 110/995 – POP
Pentesting POP
Though relatively simple compared to IMAP, POP3 services can expose vulnerabilities or poor configurations that may be leveraged during a penetration test. Especially when credentials are transmitted in cleartext or when authentication mechanisms can be brute forced.
Discovery and Enumeration
Scanning for POP Services
You can use Nmap to identify POP3 services and check for capabilities.
nmap -p 110,995 -sV 10.1.1.1 #Identify POP services and version
You can also use Nmap scripts to enumerate service details:
nmap -p 110 --script pop3-capabilities 10.1.1.1 #Discover server capabilities nmap -p 110 --script pop3-ntlm-info 10.1.1.1 #Retrieve NTLM info (if supported)
Banner Grabbing
To get POP3 banners you can manually interact with the service using a tool like Netcat.
nc -v 10.1.1.1 110 #Netcat connection to target IP on port 110 nc -vv 10.1.1.1 110 #Netcat connection to target IP on port 110 with more verbose output ##Example Response +OK beta POP3 server (JAMES POP3 Server 2.3.2) ready
For encrypted connections on port 995, use openssl.
openssl s_client -connect 10.1.1.1:995 #openssl connection to target IP on encrypted POP port
Metasploit Enumeration
Metasploit has modules to help you with POP3 enumeration
use auxiliary/scanner/pop3/pop3_version #Enumerates POP3 version via banner grabbing set RHOSTS 10.1.1.1 run
Unlike SMB, POP services typically do not allow for lateral movement or file retrieval on their own. However, they often yield valuable credentials, which can be reused across other services (e.g., RDP, SSH, or web logins). Always test credential reuse once access is obtained.
Useful Tools and Techniques
Manual POP3 Interaction
You can test authentication and issue POP commands using telnet, nc, or openssl s_client.
Taking the plaintext port 110 as an example and connecting with telnet:
telnet 10.1.1.1 110 #Connect to telnet port on target using telnet #Commands: USER admin PASS password STAT LIST RETR 1 DELE 1 QUIT
Some common POP3 commands are shown below:
- USER <username> – Specify username
- PASS <password> – Submit password
- STAT – Get mailbox statistics
- LIST – List message sizes
- RETR <n> – Retrieve message n
- DELE <n> – Mark message n for deletion
- QUIT – End session
- CAPA – List server capabilities
POP3 Bruteforce
It is possible to perform password brute forcing against POP3 services if you have a known or guessed username using the techniques above. You can use Hydra to perform brute force attacks.
hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.1.1.1 pop3 #Try to brute force POP3 on port 110 login with Hydra hydra -S -l admin -P /usr/share/wordlists/rockyou.txt -s 995 10.1.1.1 pop3 #Try to brute force POP3 on encrypted port 995 with switches -S: use SSL, -s 995: port
Metasploit can also be used to try brute force POP3
use auxiliary/scanner/pop3/pop3_login set RHOSTS 10.1.1.1 set USERNAME admin set PASS_FILE /usr/share/wordlists/rockyou.txt run
Vulnerability Checks
The following are some good vulnerability checks to perform when you encounter the POP protocol during a penetration test.
Nmap Scripts
Using the pop3-ntlm-info Nmap script may leak valuable system data when NTLM authentication is enabled.
nmap -p 110 --script pop3-ntlm-info 10.1.1.1 #Nmap script to check if system data is being leaked when NTLM authentication is enabled.
Logging Cleartext Passwords
Certain POP3 servers may log credentials in plaintext if misconfigured. Look for the following settings in Dovecot or similar servers:
- auth_debug_passwords = yes
- auth_verbose_passwords = yes
These can be used to retrieve passwords directly from logs during post-exploitation.