Blog
Page cover image

POP3 & IMAP | 110, 143, 993

πŸ’‘POP3 and IMAP are both protocols used to retrieve email from a mail server, but they differ in how they handle emails. POP3 downloads emails from the server to the local device, typically removing them from the server once downloaded, making it suitable for single-device access. In contrast, IMAP synchronizes emails across multiple devices, leaving the emails on the server and allowing users to manage their mail consistently from any device. IMAP is better suited for users who need to access their email from multiple locations or devices. Additionally, IMAP supports folder organization and flags (e.g., read/unread), while POP3 lacks these features.

01. POP3 - Post Office Protocol Version 3

USER [username]

First login command (identifies user).

PASS [password]

Second login command (authenticates user).

STAT

Returns total number of messages and their size.

LIST

Lists all messages with IDs and sizes.

RETR [messageID]

Retrieves the entire message by ID.

DELE [messageID]

Marks a message for deletion by ID.

CAPA

Displays server capabilities.

RSET

Undeletes messages marked for deletion.

QUIT

Logs out, saves changes, and closes connection.

NOOP

Does nothing; server responds positively.

TOP [message] [number]

Returns headers and specified lines of a message.

## ------------------| Login via telnet 
telnet $IP 110  ### Login via telnet
USER h4rithd    ### Enter user name with USER command | Receive +OK, if success
PASS harith123  ### Enter password with PASS command | Receive +OK Welcome h4rithd, if success
STAT            ### Returns total number of messages and total size | Receive +OK 1 743
LIST            ### Lists all messages | +OK 1 743, if success
RETR 1          ### Retrieves the whole message RETR <number>

## ------------------| Login via OpenSSL [Encrypted]
openssl s_client -connect $IP:pop3s
openssl s_client -connect $IP:pop3s -quiet -crlf

## ------------------| Enumerate using Nmap
sudo nmap -sV -Pn  -p110,143,993,995 -sC $IP
sudo nmap -sV -Pn --script pop3-ntlm-info.nse -p 110 $IP
sudo nmap -sV -Pn --script pop3-brute.nse -p 110 $IP

## ------------------| Brute force
hydra -l <USERS> -P <PASSWORDS> -f $IP pop3 -V
hydra -S -v -s 995 -l <USERS> -P <PASSWORDS_LISTS> -f $IP pop3 -V
use auxiliary/scanner/pop3/pop3_login

02. IMAP - Internet Message Access Protocol

By default, IMAP uses port 143 for unencrypted connections and port 993 for secure connections over SSL. Use GUI clients like Evolution.

## ------------------| Scan using Nmap
sudo nmap -sV -Pn -p143,993,995 -sC $IP
sudo nmap -sV -Pn --script imap-capabilities.nse -p 143 $IP
sudo nmap -sV -Pn --script imap-brute.nse -p 143 $IP
curl -k 'imaps://$IP' --user h4rithd:password123 -v

## ------------------| Connect to the server 
telnet $IP 143                   ### use 'c1 STARTTLS' If you need to switch to SSL
ncat --crlf --verbose $IP 143    ### use 'c1 STARTTLS' If you need to switch to SSL
openssl s_client -connect $IP:143 -crlf -quiet -starttls imap

## ------------------| Connect to the server [Encrypted]
ncat --ssl $IP 993
openssl s_client -connect $IP:imaps
openssl s_client -connect $IP:993 -quiet

## ------------------| Authenticating to IMAP
ANYTHING001 login <Username> <Password> 
A1 LOGIN <Username> <Password> 

## ------------------| List Folders/Mailboxes
A1 LIST "" *
A1 LIST INBOX *
A1 LIST "Archive" *

## ------------------| Status of Mailbox
A1 STATUS INBOX (MESSAGES UNSEEN RECENT)

## ------------------| List Subscribed Mailboxes
A1 LSUB "" *

## ------------------| Select/Examine Mailbox
A1 SELECT INBOX
A1 EXAMINE INBOX

## ------------------| Fetch Emails
A1 FETCH 1 BODY[]
A1 FETCH 1 ALL
A1 FETCH 1:5 (FLAGS BODY[HEADER.FIELDS (SUBJECT FROM)])

## ------------------| Search Emails
A1 SEARCH ALL
A1 SEARCH FROM "[email protected]"
A1 SEARCH SUBJECT "Report"
A1 SEARCH SINCE 1-Feb-2025

## ------------------| Delete Emails
A1 STORE 1 +FLAGS (\Deleted)
A1 EXPUNGE

## ------------------| Copy Emails
A1 COPY 1:3 "Archive"

## ------------------| Store Flags
A1 STORE 1 +FLAGS (\Seen)
A1 STORE 1 -FLAGS (\Deleted)
A1 STORE 1 +FLAGS (\Flagged)

## ------------------| Create/Rename/Delete Mailboxes
A1 CREATE "NewFolder"
A1 RENAME "OldFolder" "RenamedFolder"
A1 DELETE "UnwantedFolder"

## ------------------| List messages
A1 FETCH 1:* (FLAGS)
A1 UID FETCH 1:* (FLAGS)

## ------------------| Retrieve Message Content
A1 FETCH 2 body[text]
A1 FETCH 2 all
A1 UID FETCH 102 (UID RFC822.SIZE BODY.PEEK[])

## ------------------| Close Mailbox
A1 CLOSE

## ------------------| Logout
A1 LOGOUT

Last updated

Was this helpful?