protocolsandservers networksecurityprotocols footprinting imap

Internet Message Access Protocol (IMAP) is a protocol designed for synchronization between mailboxes. It allows the user to create folders, and sort mails inside. If a mail is read inside a mailbox, then it's marked as read in every other mailbox.

🐊️ Port: 143 (TCP)

πŸ”₯ IMAP communications are not encrypted.

πŸ”’ There is a secure version called IMAPS (port 993, over SSL/TLS).

$ telnet IP 143
$ openssl s_client -connect IP:imaps

Once a session is available, you can run commands:

# every command must start with a token of your choice
# "a" was used for commands below
LOGIN username password
a LIST "" "*"       # list mails in every folder
a EXAMINE INBOX     # show number of emails in INBOX
a FETCH 1:* (FLAGS) # list all mails
a FETCH 1 (BODY[])  # show message uid=1 body
a LOGOUT            # logout

Pentester Notes ☠️


$ hydra -L /path/to/users.lst -P /path/to/pass.lst imap://IP

If you compromise an email account, make sure to take note of the internal employees emails as they may be their usernames.

Alternatives to CLI

Using cURL to fetch emails

You can use cURL to fetch emails.

$ curl -k 'imaps://IP' --user username:password
$ curl -k 'imaps://IP/INBOX?ALL' --user username:password
$ curl -k 'imaps://IP/INBOX;MAILINDEX=1' --user username:password

Using evolution to fetch emails


You can use evolution to fetch emails. It's a graphical mail client.

$ sudo apt install evolution
$ evolution

Configure a new mailbox.

  • Step 1: Add a random full name, and the targeted email, and optionally toggle "Don't lookup."
  • Step 2: Fill server, port, and username
  • Step 3: Unselect all
  • Step 4: Select 'None'
  • Finish, Apply

πŸ‘» To-do πŸ‘»

Stuff that I found, but never read/used yet.

  • dovecot-imapd
  • sudo nmap IP -p143,993 -sC -sV