hacktricks/network-services-pentesting/pentesting-pop.md

206 lines
10 KiB
Markdown
Raw Normal View History

# 110,995 - 渗透测试 POP
2022-04-28 16:01:33 +00:00
<details>
<summary><strong>从零开始学习 AWS 黑客技术,成为专家</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTEHackTricks AWS 红队专家)</strong></a><strong></strong></summary>
2022-04-28 16:01:33 +00:00
* 您在**网络安全公司**工作吗?想要看到您的**公司在 HackTricks 中被宣传**吗?或者想要访问**PEASS 的最新版本或下载 HackTricks 的 PDF**吗?查看[**订阅计划**](https://github.com/sponsors/carlospolop)
* 发现我们的独家[NFTs 集合](https://opensea.io/collection/the-peass-family) - [**The PEASS Family**](https://opensea.io/collection/the-peass-family)
* 获取[**官方 PEASS & HackTricks 商品**](https://peass.creator-spring.com)
* **加入** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord 群组**](https://discord.gg/hRep4RUj7f) 或 [**电报群组**](https://t.me/peass) 或在 **Twitter** 上关注我 🐦[**@carlospolopm**](https://twitter.com/hacktricks\_live)**。**
* **通过向** [**hacktricks 仓库**](https://github.com/carlospolop/hacktricks) **和** [**hacktricks-cloud 仓库**](https://github.com/carlospolop/hacktricks-cloud) **提交 PR 来分享您的黑客技巧。**
2022-04-28 16:01:33 +00:00
</details>
**Try Hard Security Group**
<figure><img src="/.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>
{% embed url="https://discord.gg/tryhardsecurity" %}
***
2023-08-03 19:12:22 +00:00
## 基本信息
2022-04-28 16:01:33 +00:00
**邮局协议POP**被描述为计算机网络和互联网领域中的协议,用于从远程邮件服务器提取和**检索电子邮件**,使其在本地设备上可访问。位于 OSI 模型的应用层,该协议使用户能够获取和接收电子邮件。**POP 客户端**的操作通常涉及建立与邮件服务器的连接,下载所有消息,将这些消息存储在客户端系统上,然后从服务器中删除这些消息。尽管有三个版本的该协议,但**POP3**是最常用的版本。
**默认端口:**110995ssl
2022-05-01 13:25:53 +00:00
```
PORT STATE SERVICE
110/tcp open pop3
```
## 枚举
2023-08-03 19:12:22 +00:00
### 横幅抓取
```bash
nc -nv <IP> 110
openssl s_client -connect <IP>:995 -crlf -quiet
```
2023-08-03 19:12:22 +00:00
## 手动
您可以使用命令`CAPA`来获取POP3服务器的功能。
2023-08-03 19:12:22 +00:00
## 自动化
```bash
2021-03-28 16:50:16 +00:00
nmap --script "pop3-capabilities or pop3-ntlm-info" -sV -port <PORT> <IP> #All are default scripts
```
`pop3-ntlm-info`插件将返回一些“**敏感**”数据Windows版本
2023-08-03 19:12:22 +00:00
### [POP3暴力破解](../generic-methodologies-and-resources/brute-force.md#pop)
2023-08-03 19:12:22 +00:00
## POP语法
POP命令示例来自[这里](http://sunnyoasis.com/services/emailviatelnet.html)
```bash
POP commands:
2023-08-03 19:12:22 +00:00
USER uid Log in as "uid"
PASS password Substitue "password" for your actual password
STAT List number of messages, total mailbox size
LIST List messages and sizes
RETR n Show message n
DELE n Mark message n for deletion
RSET Undo any changes
QUIT Logout (expunges messages if no RSET)
TOP msg n Show first n lines of message number msg
CAPA Get capabilities
```
```markdown
## Post Office Protocol (POP)
POP is a protocol used by email clients to retrieve emails from a mail server. POP operates over port 110. During a penetration test, you may encounter POP services running on a target system. Here are some common techniques to test the security of a POP service:
### Default Credentials
Check if the POP service is using default credentials. Many users do not change the default credentials, which can lead to unauthorized access.
### Brute Force Attacks
Attempt to brute force the POP service using tools like Hydra or Medusa. Brute forcing involves trying multiple username and password combinations until the correct one is found.
### Man-in-the-Middle (MitM) Attacks
Perform a Man-in-the-Middle attack to intercept POP traffic between the email client and the mail server. This can help in capturing sensitive information such as login credentials.
### Password Spraying
Use password spraying techniques to avoid account lockouts. Instead of trying multiple passwords for one user, try a single password across multiple user accounts.
### Banner Grabbing
Perform banner grabbing to gather information about the POP service version and the operating system. This information can be useful for identifying potential vulnerabilities.
By testing the security of POP services, you can identify and address any weaknesses in the email infrastructure to prevent unauthorized access to sensitive information.
```
```html
## 邮局协议POP
POP是电子邮件客户端用来从邮件服务器检索电子邮件的协议。POP在端口110上运行。在渗透测试中您可能会遇到在目标系统上运行的POP服务。以下是一些常见的测试POP服务安全性的技术
### 默认凭据
检查POP服务是否使用默认凭据。许多用户不更改默认凭据这可能导致未经授权访问。
### 暴力破解攻击
尝试使用Hydra或Medusa等工具对POP服务进行暴力破解。暴力破解涉及尝试多个用户名和密码组合直到找到正确的组合。
### 中间人攻击
执行中间人攻击以拦截电子邮件客户端和邮件服务器之间的POP流量。这有助于捕获诸如登录凭据之类的敏感信息。
### 密码喷洒
使用密码喷洒技术以避免帐户锁定。而不是为一个用户尝试多个密码,而是尝试在多个用户帐户中使用单个密码。
### 横幅抓取
执行横幅抓取以收集有关POP服务版本和操作系统的信息。这些信息对于识别潜在的漏洞可能很有用。
通过测试POP服务的安全性您可以识别和解决电子邮件基础设施中的任何弱点以防止未经授权访问敏感信息。
```
2022-05-01 13:25:53 +00:00
```
root@kali:~# telnet $ip 110
2023-08-03 19:12:22 +00:00
+OK beta POP3 server (JAMES POP3 Server 2.3.2) ready
USER billydean
+OK
PASS password
+OK Welcome billydean
2021-03-31 10:21:23 +00:00
2023-08-03 19:12:22 +00:00
list
2021-03-31 10:21:23 +00:00
2023-08-03 19:12:22 +00:00
+OK 2 1807
1 786
2 1021
2023-08-03 19:12:22 +00:00
retr 1
2021-03-31 10:21:23 +00:00
2023-08-03 19:12:22 +00:00
+OK Message follows
From: jamesbrown@motown.com
Dear Billy Dean,
2023-08-03 19:12:22 +00:00
Here is your login for remote desktop ... try not to forget it this time!
username: billydean
password: PA$$W0RD!Z
```
## 危险设置
从[https://academy.hackthebox.com/module/112/section/1073](https://academy.hackthebox.com/module/112/section/1073)
2022-10-02 21:10:53 +00:00
| **设置** | **描述** |
2022-10-02 21:10:53 +00:00
| ------------------------- | ----------------------------------------------------------------------------------------- |
| `auth_debug` | 启用所有身份验证调试日志。 |
| `auth_debug_passwords` | 此设置调整日志详细程度,提交的密码以及方案会被记录。 |
| `auth_verbose` | 记录身份验证失败的尝试及其原因。 |
| `auth_verbose_passwords` | 用于身份验证的密码被记录,也可以被截断。 |
| `auth_anonymous_username` | 指定在使用ANONYMOUS SASL机制登录时要使用的用户名。 |
**Try Hard Security Group**
<figure><img src="/.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>
{% embed url="https://discord.gg/tryhardsecurity" %}
2021-08-12 13:23:35 +00:00
2023-08-03 19:12:22 +00:00
## HackTricks自动命令
2022-05-01 13:25:53 +00:00
```
2021-08-12 13:23:35 +00:00
Protocol_Name: POP #Protocol Abbreviation if there is one.
Port_Number: 110 #Comma separated if there is more than one.
Protocol_Description: Post Office Protocol #Protocol Abbreviation Spelled out
2021-08-15 17:31:12 +00:00
Entry_1:
2023-08-03 19:12:22 +00:00
Name: Notes
Description: Notes for POP
Note: |
Post Office Protocol (POP) is described as a protocol within the realm of computer networking and the Internet, which is utilized for the extraction and retrieval of email from a remote mail server**, making it accessible on the local device. Positioned within the application layer of the OSI model, this protocol enables users to fetch and receive email. The operation of POP clients typically involves establishing a connection to the mail server, downloading all messages, storing these messages locally on the client system, and subsequently removing them from the server. Although there are three iterations of this protocol, POP3 stands out as the most prevalently employed version.
2021-08-15 17:31:12 +00:00
https://book.hacktricks.xyz/network-services-pentesting/pentesting-pop
2021-08-15 17:31:12 +00:00
Entry_2:
2023-08-03 19:12:22 +00:00
Name: Banner Grab
Description: Banner Grab 110
Command: nc -nv {IP} 110
2021-08-15 17:31:12 +00:00
Entry_3:
2023-08-03 19:12:22 +00:00
Name: Banner Grab 995
Description: Grab Banner Secure
Command: openssl s_client -connect {IP}:995 -crlf -quiet
2021-08-15 17:31:12 +00:00
Entry_4:
2023-08-03 19:12:22 +00:00
Name: Nmap
Description: Scan for POP info
Command: nmap --script "pop3-capabilities or pop3-ntlm-info" -sV -p 110 {IP}
2021-09-13 15:39:29 +00:00
Entry_5:
2023-08-03 19:12:22 +00:00
Name: Hydra Brute Force
Description: Need User
Command: hydra -l {Username} -P {Big_Passwordlist} -f {IP} pop3 -V
2022-07-18 12:05:04 +00:00
Entry_6:
2023-08-03 19:12:22 +00:00
Name: consolesless mfs enumeration
Description: POP3 enumeration without the need to run msfconsole
Note: sourced from https://github.com/carlospolop/legion
Command: msfconsole -q -x 'use auxiliary/scanner/pop3/pop3_version; set RHOSTS {IP}; set RPORT 110; run; exit'
2023-08-03 19:12:22 +00:00
```
2022-04-28 16:01:33 +00:00
<details>
<summary><strong>从零开始学习AWS黑客技术成为专家</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTEHackTricks AWS红队专家</strong></a><strong></strong></summary>
* 您在**网络安全公司**工作吗?想要看到您的**公司在HackTricks中宣传**吗?或者您想要访问**PEASS的最新版本或下载HackTricks的PDF**吗?请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family),我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)
* 获取[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com)
* **加入** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f) 或 [**电报群组**](https://t.me/peass) 或在**Twitter**上关注我 🐦[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **通过向** [**hacktricks仓库**](https://github.com/carlospolop/hacktricks) **和** [**hacktricks-cloud仓库**](https://github.com/carlospolop/hacktricks-cloud) **提交PR来分享您的黑客技巧。**
2022-04-28 16:01:33 +00:00
</details>