邮局协议版本 3 (POP3) 是一种用于从邮件传递代理 ( MDA ) 服务器下载电子邮件的协议,如下图所示。邮件客户端连接到 POP3 服务器,进行身份验证,在(可选)删除新电子邮件之前下载它们。

POP3 - 图1

下面的示例显示了如果通过 Telnet 客户端进行的 POP3 会话的样子。首先,用户在 POP3 默认端口 110 连接到 POP3 服务器。访问电子邮件消息需要身份验证;用户通过提供他的用户名USER frank和密码进行身份验证PASS D2xc9CgD 
  1. pentester@TryHackMe$ telnet MACHINE_IP 110
  2. Trying MACHINE_IP...
  3. Connected to MACHINE_IP.
  4. Escape character is '^]'.
  5. +OK MACHINE_IP Mail Server POP3 Wed, 15 Sep 2021 11:05:34 +0300 
  6. USER frank
  7. +OK frank
  8. PASS D2xc9CgD
  9. +OK 1 messages (179) octets
上面的示例显示命令以明文形式发送。使用 Telnet 足以验证和检索电子邮件消息。由于用户名和密码以明文形式发送,任何监视网络流量的第三方都可以窃取登录凭据。 通常,您的邮件客户端 ( MUA ) 将连接到 POP3 服务器 (MDA)、验证并下载邮件。虽然使用 POP3 协议的通信将隐藏在一个光滑的界面后面,但会发出类似的命令,如上面的 Telnet 会话所示。 根据默认设置,邮件客户端在下载邮件消息后将其删除。如果您希望从另一个邮件客户端再次下载电子邮件,可以从邮件客户端设置更改默认行为。使用 POP3 通过多个客户端访问同一个邮件帐户通常不是很方便,因为会丢失已读和未读邮件的踪迹。要保持所有邮箱同步,我们需要考虑其他协议,例如 IMAP。

使用

当客户机与服务器建立联系,一旦客户机提供了自己身份并成功确认,则由认证状态进入处理状态在完成相应操作后客户机发出 quiet 命令,进入更新状态,更新之后重返认证状态 
  1. 等待连接                  身份确认             quit命令
  2. ——      |AUTHORIZATION|—————    |TRANSACTION|——————   |UPDATE|
  3. |________________________________________________________|
  4. 重返认可状态
命令 参数 状态 描述
USER username AUTHORIZATION 此命令与下面的pass命令若成功,将导致状态转换
PASS password AUTHORIZATION
APOP Name Digest AUTHORIZATION Digest是MD5消息摘要
STAT TRANSACTION 请求服务器发回关于邮箱的统计资料,如邮件总数和总字节数
UIDL [Msg#] TRANSACTION 回邮件的唯一标识符,POP3会话的每个标识符都将是唯一的
LIST [Msg#] TRANSACTION 返回邮件数量和每个邮件的大小
RETR [Msg#] TRANSACTION 返回由参数标识的邮件的全部文本
DELE [Msg#] TRANSACTION 服务器将由参数标识的邮件标记为删除,由quit命令执行
RSET [Msg#] TRANSACTION 服务器将重置所有标记为删除的邮件,用于撤消DELE命令
TOP msg n TRANSACTION 服务器将返回由参数标识的邮件前n行内容,n必须是正整数
NOOP [Msg#] TRANSACTION 服务器返回一个肯定的响应
QUIT UPDATE
使用 user 和 pass 登陆 
  1. ┌──(jtzJTZ)-[~/Desktop/Temp/thm/Fowsniff_CTF]
  2. └─$ telnet 10.10.26.92 110
  3. Trying 10.10.26.92...
  4. Connected to 10.10.26.92.
  5. Escape character is '^]'.
  6. +OK Welcome to the Fowsniff Corporate Mail Server!
  7. user seina
  8. +OK
  9. pass scoobydoo2
  10. +OK Logged in.
list 将显示整个邮箱的编号和大小 
  1. list
  2. +OK 2 messages:
  3. 1 1622
  4. 2 1280
  5. .
  6. list 1
  7. +OK 1 1622
uidl 返回邮件唯一标识符 
  1. uidl
  2. +OK
  3. 1 000000055aa21d8b
  4. 2 000000065aa21d8b
  5. .
top 返回指定邮件前 m 行 
  1. top 1 5
  2. +OK
  3. Return-Path: <stone@fowsniff>
  4. X-Original-To: seina@fowsniff
  5. Delivered-To: seina@fowsniff
  6. Received: by fowsniff (Postfix, from userid 1000)
  7.         id 0FA3916A; Tue, 13 Mar 2018 14:51:07 -0400 (EDT)
  8. To: baksteen@fowsniff, mauer@fowsniff, mursten@fowsniff,
  9.     mustikka@fowsniff, parede@fowsniff, sciana@fowsniff, seina@fowsniff,
  10.     tegel@fowsniff
  11. Subject: URGENT! Security EVENT!
  12. Message-Id: <20180313185107.0FA3916A@fowsniff>
  13. Date: Tue, 13 Mar 2018 14:51:07 -0400 (EDT)
  14. From: stone@fowsniff (stone)
  16. Dear All,
  18. A few days ago, a malicious actor was able to gain entry to
  19. our internal email systems. The attacker was able to exploit
  20. incorrectly filtered escape characters within our SQL database
  21. .
retr 获取邮件全部内容 
  1. retr 2
  2. +OK 1280 octets
  3. Return-Path: <baksteen@fowsniff>
  4. X-Original-To: seina@fowsniff
  5. Delivered-To: seina@fowsniff
  6. Received: by fowsniff (Postfix, from userid 1004)
  7.         id 101CA1AC2; Tue, 13 Mar 2018 14:54:05 -0400 (EDT)
  8. To: seina@fowsniff
  9. Subject: You missed out!
  10. Message-Id: <20180313185405.101CA1AC2@fowsniff>
  11. Date: Tue, 13 Mar 2018 14:54:05 -0400 (EDT)
  12. From: baksteen@fowsniff
  14. Devin,
  16. You should have seen the brass lay into AJ today!
  17. We are going to be talking about this one for a looooong time hahaha.
  18. Who knew the regional manager had been in the navy? She was swearing like a sailor!
  20. I don't know what kind of pneumonia or something you brought back with
  21. you from your camping trip, but I think I'm coming down with it myself.
  22. How long have you been gone - a week?
  23. Next time you're going to get sick and miss the managerial blowout of the century,
  24. at least keep it to yourself!
  26. I'm going to head home early and eat some chicken soup.
  27. I think I just got an email from Stone, too, but it's probably just some
  28. "Let me explain the tone of my meeting with management" face-saving mail.
  29. I'll read it when I get back.
  31. Feel better,
  33. Skyler
  35. PS: Make sure you change your email password.
  36. AJ had been telling us to do that right before Captain Profanity showed up.
  38. .
dele命令,在此时并不会删除邮件,只有在QUIT时才会删除,任何邮件的删除都必须在quit命令发出后对已标记为删除的邮件执行删除操作,若发生访问中断,没有发出quit命令,那么虽然执行过dele命令,邮件仍不会被删除。 
  1. dele 2
  2. +OK Marked to be deleted.
rset命令,取消删除邮件的命令,重置邮件状态 
  1. rset
  2. +OK

爆破

注意不要多空格,空格会影响校验

MSF

msf6 auxiliary(scanner/pop3/pop3_login) >

hydra

  1. ┌──(jtzJTZ)-[~/Desktop/Temp/thm/Fowsniff_CTF]
  2. └─$ hydra -L username.txt -P pass.txt 10.10.37.102 pop3