Pentesting POP

POP
Post Office Protocol (POP) is used to retrieve email from a remote mail server to a local client. It operates at the application layer of the OSI model and allows email clients to fetch messages, typically downloading them to the local system and deleting them from the server. The most common version is POP3, which operates on port 110 for plaintext communication and port 995 when secured with SSL/TLS.

Though relatively simple compared to IMAP, POP3 services can expose vulnerabilities or poor configurations that may be leveraged during a penetration test. Especially when credentials are transmitted in cleartext or when authentication mechanisms can be brute forced.

Discovery and Enumeration

Scanning for POP Services

You can use Nmap to identify POP3 services and check for capabilities.

nmap -p 110,995 -sV 10.1.1.1    #Identify POP services and version

You can also use Nmap scripts to enumerate service details:

nmap -p 110 --script pop3-capabilities 10.1.1.1     #Discover server capabilities
nmap -p 110 --script pop3-ntlm-info 10.1.1.1        #Retrieve NTLM info (if supported)

 

Banner Grabbing

To get POP3 banners you can manually interact with the service using a tool like Netcat.

nc -v 10.1.1.1 110    #Netcat connection to target IP on port 110
nc -vv 10.1.1.1 110   #Netcat connection to target IP on port 110 with more verbose output

##Example Response
+OK beta POP3 server (JAMES POP3 Server 2.3.2) ready

For encrypted connections on port 995, use openssl.

openssl s_client -connect 10.1.1.1:995     #openssl connection to target IP on encrypted POP port

 

Metasploit Enumeration

Metasploit has modules to help you with POP3 enumeration

use auxiliary/scanner/pop3/pop3_version         #Enumerates POP3 version via banner grabbing
set RHOSTS 10.1.1.1
run

 

Unlike SMB, POP services typically do not allow for lateral movement or file retrieval on their own. However, they often yield valuable credentials, which can be reused across other services (e.g., RDP, SSH, or web logins). Always test credential reuse once access is obtained.

Useful Tools and Techniques

Manual POP3 Interaction

You can test authentication and issue POP commands using telnet, nc, or openssl s_client.

Taking the plaintext port 110 as an example and connecting with telnet:

telnet 10.1.1.1 110       #Connect to telnet port on target using telnet

#Commands:
USER admin
PASS password
STAT
LIST
RETR 1
DELE 1
QUIT

Some common POP3 commands are shown below:

  • USER <username> – Specify username
  • PASS <password> – Submit password
  • STAT – Get mailbox statistics
  • LIST – List message sizes
  • RETR <n> – Retrieve message n
  • DELE <n> – Mark message n for deletion
  • QUIT – End session
  • CAPA – List server capabilities

POP3 Bruteforce

It is possible to perform password brute forcing against POP3 services if you have a known or guessed username using the techniques above. You can use Hydra to perform brute force attacks.

hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.1.1.1 pop3              #Try to brute force POP3 on port 110 login with Hydra
hydra -S -l admin -P /usr/share/wordlists/rockyou.txt -s 995 10.1.1.1 pop3    #Try to brute force POP3 on encrypted port 995 with switches -S: use SSL, -s 995: port

Metasploit can also be used to try brute force POP3

use auxiliary/scanner/pop3/pop3_login
set RHOSTS 10.1.1.1
set USERNAME admin
set PASS_FILE /usr/share/wordlists/rockyou.txt
run

Vulnerability Checks

The following are some good vulnerability checks to perform when you encounter the POP protocol during a penetration test.

Nmap Scripts

Using the pop3-ntlm-info Nmap script may leak valuable system data when NTLM authentication is enabled.

nmap -p 110 --script pop3-ntlm-info 10.1.1.1     #Nmap script to check if system data is being leaked when NTLM authentication is enabled.
Logging Cleartext Passwords

Certain POP3 servers may log credentials in plaintext if misconfigured. Look for the following settings in Dovecot or similar servers:

  • auth_debug_passwords = yes
  • auth_verbose_passwords = yes

These can be used to retrieve passwords directly from logs during post-exploitation.