
## What is POP3

Post Office Protocol version 3 (POP3) is a protocol used to download the email messages from a Mail Delivery Agent (MDA) server, as shown in the figure below. The mail client connects to the POP3 server, authenticates, downloads the new email messages before (optionally) deleting them.

- More Information
	![](https://tryhackme-images.s3.amazonaws.com/user-uploads/5f04259cf9bf5b57aed2c476/room-content/ed910ad418376edc846846fc2a0dd3f6.png)
	
	The example below shows what a POP3 session would look like if conducted via a Telnet client. First, the user connects to the POP3 server at the POP3 default port 110. Authentication is required to access the email messages; the user authenticates by providing his username `USER frank` and password `PASS D2xc9CgD`. Using the command `STAT`, we get the reply `+OK 1 179`; based on [RFC 1939](https://datatracker.ietf.org/doc/html/rfc1939), a positive response to `STAT` has the format `+OK nn mm`, where _nn_ is the number of email messages in the inbox, and _mm_ is the size of the inbox in octets (byte). The command `LIST` provided a list of new messages on the server, and `RETR 1` retrieved the first message in the list. We don’t need to concern ourselves with memorizing these commands; however, it is helpful to strengthen our understanding of such protocol.
	
	Pentester Terminal
	
	```shell-session
	pentester@TryHackMe$ telnet 10.10.142.15 110
	Trying 10.10.142.15...
	Connected to MACHINE_IP.
	Escape character is '^]'.
	+OK MACHINE_IP Mail Server POP3 Wed, 15 Sep 2021 11:05:34 +0300 
	USER frank
	+OK frank
	PASS D2xc9CgD
	+OK 1 messages (179) octets
	STAT
	+OK 1 179
	LIST
	+OK 1 messages (179) octets
	1 179
	.
	RETR 1
	+OK
	From: Mail Server 
	To: Frank 
	subject: Sending email with Telnet
	Hello Frank,
	I am just writing to say hi!
	.
	QUIT
	+OK MACHINE_IP closing connection
	Connection closed by foreign host.
	```
	
	The example above shows that the commands are sent in cleartext. Using Telnet was enough to authenticate and retrieve an email message. As the username and password are sent in cleartext, any third party watching the network traffic can steal the login credentials.

## Find POP3 Port
Nmap
```
nmap -sV -SC IP -p110
```

- Possible to find POP3 on an other port

## Connection
- Telnet
```Terminal
telnet [ip] 110
```

- POP3 Commands
```Terminal
USER frank
+OK frank                             #Machine Response
PASS D2xc9CgD
+OK 1 messages (179) octets           #Machine Response
STAT
+OK 1 179                             #Machine Response
LIST
+OK 1 messages (179) octets           #Machine Response
1 179
.
RETR 1
+OK                                   #Machine Response
From: Mail Server 
To: Frank 
subject: Sending email with Telnet
Hello Frank,
I am just writing to say hi!
.
QUIT
+OK MACHINE_IP closing connection     #Machine Response
Connection closed by foreign host.
```