DevSecOps
Home About Writings Talks Life
DevSecOps

Pentesting Post Office Protocol (POP)

Post Office Protocol (POP) is a mail protocol for retrieving mail from a remote mail server to a local mail client. Usually, once the client downloads the received mail from the Inbox folder, the mail is removed from the server. This results in the mail not been able to be accessed across multiple devices.

The first version of POP, specified in RFC 918 was published in 1984 and was immediately followed by POP2 in 1985 before POP3 was released in 1988 and underwent several revisions until 1996. By default POP runs on unsecured TCP port 110 or secured TCP 995 if SSL/TLS enabled. It works in tandem with Simple Mail Transfer Protocol (SMTP) for end-to-end email communication, where POP pulls messages and SMTP pushes them to the server.

/images/smtp/00_smtp-pop-imap-communication.png
SMTP/POP/IMAP Communication

To Observe the POP communication on the wire, see POP Communication traffic flow.

1
2
3
4
5
6
7
8
9

# on terminal one
sudo tcpdump -Uni $INTERFACE tcp port 110 or 995    # unbuffered FTP capture filter

# on terminal two
nc --ssl $IP $PORT    # open a connection to server
user $USERNAME    # submit username
pass $PASSWORD    # submit password for username
list    # list mails in the inbox
quit    # quit pop session connection

/images/pop/00_pop3s-traffic.png
POP3s Traffic

Common Server Application

  • Unix systems
    • Dovecot
    • Postfix
    • Exim
  • Windows systems
    • MailEnable
    • Microsoft Exchange Server
    • Zimbra

Common Commands

COMMANDUSAGEDESCRIPTION
CAPACAPAlist supported capabilities
DELEDELE ndelete specified message number index n
LISTLISTlist all messages in inbox
NOOPNOOPping the server
PASSPASS $PASSWORDsubmit password for username
QUITQUITquit connection session (expunges messages if no RSET)
RETRRETR nretrieve content of specified message number index n
RSETRSETunmark messages queued for deletion
STATSTATlist messages and total mailbox size
TOPTOP n lshow l number of lines of specified message number index n
USERUSER $USERNAMElogin with specified username

Common Vulnerability

  • Improper Validation of Input: CWE-1285
  • Exposure of Sensitive Information: CWE-200

Security Best Practices

  • Deploy a TLS POP3 for encrypted communication.
  • Enable strong password policies and two-factor authentication for user accounts.

Exploitation
Although not prevalent as its counterpart IMAP an attacker can still exploit this service. One caveat to keep in mind though is that depending on the configuration of the server and the attacker’s goal they may have a hard time repeating a particular procedure. For example they have just once chance to exfilterate a confidential mail and it has to be resident in the inbox. One primary inclination is:

  • Whether they are able to retrieve sensitive information.
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

## SERVICE ENUMERATION ## 
# with nmap
ls /usr/share/nmap/scripts/pop*    # list nmap pop3 scripts
'SNIP
/usr/share/nmap/scripts/pop3-brute.nse
/usr/share/nmap/scripts/pop3-capabilities.nse
/usr/share/nmap/scripts/pop3-ntlm-info.nse
'
nmap -p 110,995 -sV $IP   # run a version scan 
nmap -p 110,995 --script pop3-capabilities $IP   # show capabilities

# with telnet
telnet $IP 110    # show banner

# with metasploit
search scanner name:pop3
use auxiliary/scanner/pop3/pop3_version
set rhosts $IP
exploit 

## CREDENTIAL ENUMERATION ##
# with hydra
hydra -t 10 -L $USERNAMELIST -P $PASSWORDLIST -s 110 $IP pop3 -V    # find credentials
hydra -S -t 20 -l $USERNAME -P $PASSWORDLIST -s 995 $IP pop3 -V    # find credentials via SSL/TLS

## PATH ENUMERATION ##

## HOST ENUMERATION/FOOTPRINTING ##
# with nc
nc -nv --ssl $IP 995
user $USERNAME
pass $PASSWORD
list
retr $MESSAGE_INDEX
quit

# with openssl
openssl s_client -connect $IP:110 -starttls pop3 -crlf    # upgrade connection and fingerprint
openssl s_client -connect $IP:995 -crlf -quiet    # fingerprint via SSL/TLS

References