0) What is POP3?
POP3 (Post Office Protocol version 3) is a protocol for retrieving email from a remote mail server to a client. It typically listens on TCP port 110 (plaintext) and on 995 for POP3S (TLS). POP3 downloads messages to the client and (optionally) removes them from the server. Misconfigurations, weak authentication, or exposed credentials make POP3 a target during assessments.
1) Recon Phase
- Detect POP3 service and banner: nmap -sV -p 110 [target]
- Check for POP3S (TLS) on port 995: nmap -sV -p 995 [target]
- Nmap NSE scripts: nmap -p 110 --script pop3-capabilities,pop3-brute [target]
- Passive recon: search for mail server hostnames in DNS (MX records) with dig/host
Record server software (Dovecot, Courier, Exchange), supported authentication methods (USER/PASS, APOP, SASL), and whether TLS is enforced.
2) Enumeration Phase
- Manual banner & commands: (telnet/netcat)
nc [target] 110
# expect: +OK
- Basic POP3 flow (manual):
USER username
PASS password
STAT # message count/size
LIST # list messages
UIDL # unique IDs
RETR # retrieve message
DELE # delete message
QUIT
- Test APOP support (timestamped MD5 challenge) if offered in banner
- Use pop3-client scripts/tools (nmap pop3-* scripts, pop3scan) for automated checks
- User enumeration via VRFY is SMTP; for POP3 use username lists and observe responses/timing differences
Try connecting and issuing POP3 commands to see exact server responses. Note whether the server accepts plaintext auth or redirects to STARTTLS/POP3S.
3) Exploitation Phase
- Credential harvesting: if weak creds found, authenticate and download mailboxes (RETR)
- APOP: if supported and credentials can be guessed/extracted from zone files, use APOP flow
- Brute force (authorized only): hydra -L users.txt -P passwords.txt pop3://[target]
- If mailboxes contain sensitive data (password resets, API keys), pivot using discovered credentials
- Man-in-the-middle (authorized lab): intercept plaintext POP3 to capture credentials (on untrusted networks)
- Abuse mail retrieval to exfiltrate sensitive messages or to find tokens/links for lateral movement
Prioritize collecting credentials and messages that contain secrets. If server allows deletion (DELE), be careful—do not delete during assessment unless explicitly authorized.
POP3 Info — What to Look For
- Plaintext USER/PASS authentication (no TLS) on port 110
- Presence of POP3S (port 995) or STARTTLS support
- APOP support listed in banner (timestamp + MD5 challenge)
- Mailboxes containing password reset emails, API keys, or onboarding messages
- Weak or reused credentials across services
- Ability to download many messages (large mailboxes may contain secrets)
Tools Required
sudo apt install nmap netcat telnet hydra swaks openssl
# Optional / helpful:
# - fetchmail, getmail (mail retrieval)
# - pop3scan / pop3client scripts
# - Python's poplib for scripted retrieval
Quick copy-paste command cheatsheet
# service discovery nmap -sV -p 110,995 --script pop3-capabilities,pop3-brute# banner grab (plaintext) nc 110 # then issue: USER test / PASS test # test POP3S (TLS) openssl s_client -connect :995 -crlf # brute-force (authorized only) hydra -L users.txt -P passwords.txt pop3:// # automated retrieval with Python poplib (example) python3 - < ') p.user('username'); p.pass_('password') print(p.stat()); print(p.list()) p.quit() PY
Citations
- RFC 1939 — Post Office Protocol - Version 3
- Nmap NSE — pop3-capabilities
- HackTricks — POP3 pentesting
Disclaimer: Use these techniques only on systems and mailboxes you own or are explicitly authorized to test. Capturing or accessing others' email is illegal and unethical without permission.