143,993 - Pentesting IMAP

Reading time: 6 minutes

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Internet Message Access Protocol

The Internet Message Access Protocol (IMAP) is designed for the purpose of enabling users to access their email messages from any location, primarily through an Internet connection. In essence, emails are retained on a server rather than being downloaded and stored on an individual's personal device. This means that when an email is accessed or read, it is done directly from the server. This capability allows for the convenience of checking emails from multiple devices, ensuring that no messages are missed regardless of the device used.

By default, the IMAP protocol works on two ports:

  • Port 143 - this is the default IMAP non-encrypted port
  • Port 993 - this is the port you need to use if you want to connect using IMAP securely
PORT STATE SERVICE REASON 143/tcp open imap syn-ack
bash
nc -nv <IP> 143 openssl s_client -connect <IP>:993 -quiet

NTLM Auth - Information disclosure

If the server supports NTLM auth (Windows) you can obtain sensitive info (versions):

root@kali: telnet example.com 143 * OK The Microsoft Exchange IMAP4 service is ready. >> a1 AUTHENTICATE NTLM + >> TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA= + TlRMTVNTUAACAAAACgAKADgAAAAFgooCBqqVKFrKPCMAAAAAAAAAAEgASABCAAAABgOAJQAAAA9JAEkAUwAwADEAAgAKAEkASQBTADAAMQABAAoASQBJAFMAMAAxAAQACgBJAEkAUwAwADEAAwAKAEkASQBTADAAMQAHAAgAHwMI0VPy1QEAAAAA

Or automate this with nmap plugin imap-ntlm-info.nse

IMAP Bruteforce

Syntax

IMAP Commands examples from here:

Login A1 LOGIN username password Values can be quoted to enclose spaces and special characters. A " must then be escape with a \ A1 LOGIN "username" "password" List Folders/Mailboxes A1 LIST "" * A1 LIST INBOX * A1 LIST "Archive" * Create new Folder/Mailbox A1 CREATE INBOX.Archive.2012 A1 CREATE "To Read" Delete Folder/Mailbox A1 DELETE INBOX.Archive.2012 A1 DELETE "To Read" Rename Folder/Mailbox A1 RENAME "INBOX.One" "INBOX.Two" List Subscribed Mailboxes A1 LSUB "" * Status of Mailbox (There are more flags than the ones listed) A1 STATUS INBOX (MESSAGES UNSEEN RECENT) Select a mailbox A1 SELECT INBOX List messages A1 FETCH 1:* (FLAGS) A1 UID FETCH 1:* (FLAGS) Retrieve Message Content A1 FETCH 2 body[text] A1 FETCH 2 all A1 UID FETCH 102 (UID RFC822.SIZE BODY.PEEK[]) Close Mailbox A1 CLOSE Logout A1 LOGOUT

Evolution

apt install evolution

CURL

Basic navigation is possible with CURL, but the documentation is light on details so checking the source is recommended for precise details.

  1. Listing mailboxes (imap command LIST "" "*")
bash
curl -k 'imaps://1.2.3.4/' --user user:pass
  1. Listing messages in a mailbox (imap command SELECT INBOX and then SEARCH ALL)
bash
curl -k 'imaps://1.2.3.4/INBOX?ALL' --user user:pass

The result of this search is a list of message indicies.

Its also possible to provide more complex search terms. e.g. searching for drafts with password in mail body:

bash
curl -k 'imaps://1.2.3.4/Drafts?TEXT password' --user user:pass

A nice overview of the search terms possible is located here.

  1. Downloading a message (imap command SELECT Drafts and then FETCH 1 BODY[])
bash
curl -k 'imaps://1.2.3.4/Drafts;MAILINDEX=1' --user user:pass

The mail index will be the same index returned from the search operation.

It is also possible to use UID (unique id) to access messages, however it is less conveniant as the search command needs to be manually formatted. E.g.

bash
curl -k 'imaps://1.2.3.4/INBOX' -X 'UID SEARCH ALL' --user user:pass curl -k 'imaps://1.2.3.4/INBOX;UID=1' --user user:pass

Also, possible to download just parts of a message, e.g. subject and sender of first 5 messages (the -v is required to see the subject and sender):

bash
$ curl -k 'imaps://1.2.3.4/INBOX' -X 'FETCH 1:5 BODY[HEADER.FIELDS (SUBJECT FROM)]' --user user:pass -v 2>&1 | grep '^<'

Although, its probably cleaner to just write a little for loop:

bash
for m in {1..5}; do echo $m curl "imap://1.2.3.4/INBOX;MAILINDEX=$m;SECTION=HEADER.FIELDS%20(SUBJECT%20FROM)" --user user:pass done

Shodan

  • port:143 CAPABILITY
  • port:993 CAPABILITY

HackTricks Automatic Commands

Protocol_Name: IMAP #Protocol Abbreviation if there is one. Port_Number: 143,993 #Comma separated if there is more than one. Protocol_Description: Internet Message Access Protocol #Protocol Abbreviation Spelled out Entry_1: Name: Notes Description: Notes for WHOIS Note: | The Internet Message Access Protocol (IMAP) is designed for the purpose of enabling users to access their email messages from any location, primarily through an Internet connection. In essence, emails are retained on a server rather than being downloaded and stored on an individual's personal device. This means that when an email is accessed or read, it is done directly from the server. This capability allows for the convenience of checking emails from multiple devices, ensuring that no messages are missed regardless of the device used. https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-imap.html Entry_2: Name: Banner Grab Description: Banner Grab 143 Command: nc -nv {IP} 143 Entry_3: Name: Secure Banner Grab Description: Banner Grab 993 Command: openssl s_client -connect {IP}:993 -quiet Entry_4: Name: consolesless mfs enumeration Description: IMAP enumeration without the need to run msfconsole Note: sourced from https://github.com/carlospolop/legion Command: msfconsole -q -x 'use auxiliary/scanner/imap/imap_version; set RHOSTS {IP}; set RPORT 143; run; exit'

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks