Notes
| Alternative Ports |
|---|
| 110 TCP (plaintext POP3) |
| 995 TCP (POP3S over SSL) |
Service Description
POP3 (Post Office Protocol v3) is a protocol used by mail clients to retrieve emails from a server. Port 110 is used for plaintext communication, and port 995 is used for secure connections via SSL/TLS. POP3 downloads and optionally deletes emails from the server.
POP3 on port 110 transmits credentials in plaintext and should be avoided over untrusted networks.
Attacks
Cleartext Credential Sniffing (110)
Intercepting credentials with MITM or sniffing tools (e.g., tcpdump, Wireshark).
Weak Authentication or Reused Passwords
Common on legacy systems or poorly secured infrastructure.
Credential Harvesting from EXABGP/Responder
If credentials are attempted against rogue POP3 listeners.
Bruteforce Logins
POP3 servers often respond predictably to login attempts.
Tools & Exploits
Enumeration
nmap
nmap -sV -p110,995 --script=pop3-capabilities,pop3-brute <target>telnet / openssl
# Plaintext
telnet <target> 110
USER bob
PASS password123
# Encrypted
openssl s_client -connect <target>:995hydra
# Bruteforce
hydra -L users.txt -P passwords.txt pop3://<target>msfconsole
use auxiliary/scanner/pop3/pop3_loginExploitation or Post-Enum
Mailbox Access via USER/PASS
- List available mail:
LIST- Retrieve specific message:
RETR 1- Delete email (if permitted):
DELE 1Credential Reuse POP3 creds often reused for webmail, SMTP, VPN, or AD logins.
Sniffing
tcpdump -i eth0 port 110 -ALook for USER and PASS pairs.
Wireshark Analysis Tips
Filters
tcp.port == 110 || tcp.port == 995
popWhat to look for:
- USER / PASS login attempts
- RETR and LIST commands
- Mail headers containing internal usernames/IPs