110,995-POP3

The Post Office Protocol (POP) is a basic email protocol that downloads emails from the server to a local device and typically removes them from the server. It works well for users who access email from a single device but lacks features like email synchronization and folder management.

Default Port: 110,995(ssl)

Banner grabbing

nc -nv $IP 110
openssl s_client -connect $IP:pop3s

Nmap

Nmap is a network scanner created by Gordon Lyon. Nmap is used to discover hosts and services on computer network by sending packets and analyzing the responses.

Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection.

# Default NSE
sudo nmap -sCV -p110,995 $IP

POP3 Commands

To interact with the POP, use the telnet tool to establish a connection with the server.

Command	Description
USER username	Identifies the user.
PASS password	Authentication of the user using its password.
STAT	List the number of saved emails.
LIST	List the number and size of all emails.
RETR id	Requests a specific email by ID from the server.
DELE id	Deletes a specific email by ID from the server.
CAPA	Displays the server’s capabilities.
RSET	Resets the current session information.
QUIT	Closes the connection with the server.

Dangerous settings

While most companies use third-party email providers like Google or Microsoft, some still maintain their own mail servers for various reasons. These settings apply to both POP3 and IMAP protocols.

Setting	Description
auth_debug	Enables all authentication debug logging.
auth_debug_passwords	Increases log verbosity to include submitted passwords and the authentication scheme used.
auth_verbose	Logs failed authentication attempts along with the reasons for failure.
auth_verbose_passwords	Passwords used for authentication are logged and can also be truncated.
auth_anonymous_username	Specifies the username to use when logging in with the ANONYMOUS SASL authentication method.