IMAP
Internet Message Access Protocol (IMAP) is a protocol designed for synchronization between mailboxes. It allows the user to create folders, and sort mails inside. If a mail is read inside a mailbox, then it's marked as read in every other mailbox.
ποΈ Port: 143 (TCP)
π₯ IMAP communications are not encrypted.
π There is a secure version called IMAPS (port 993, over SSL/TLS).
$ telnet IP 143
$ openssl s_client -connect IP:imaps
Once a session is available, you can run commands:
# every command must start with a token of your choice
# "a" was used for commands below
LOGIN username password
a LIST "" "*" # list mails in every folder
a EXAMINE INBOX # show number of emails in INBOX
a FETCH 1:* (FLAGS) # list all mails
a FETCH 1 (BODY[]) # show message uid=1 body
a LOGOUT # logout
Pentester Notes β οΈ
Foothold
- You may try to use brute force:
$ hydra -L /path/to/users.lst -P /path/to/pass.lst imap://IP
If you compromise an email account, make sure to take note of the internal employees emails as they may be their usernames.
Alternatives to CLI
Using cURL to fetch emails
You can use cURL to fetch emails.
$ curl -k 'imaps://IP' --user username:password
$ curl -k 'imaps://IP/INBOX?ALL' --user username:password
$ curl -k 'imaps://IP/INBOX;MAILINDEX=1' --user username:password
Using evolution to fetch emails
You can use evolution to fetch emails. It's a graphical mail client.
$ sudo apt install evolution
$ evolution
Configure a new mailbox.
- Step 1: Add a random full name, and the targeted email, and optionally toggle "Don't lookup."
-
Step 2: Fill
server
,port
, andusername
- Step 3: Unselect all
- Step 4: Select 'None'
- Finish, Apply
π» To-do π»
Stuff that I found, but never read/used yet.
- dovecot-imapd
-
sudo nmap IP -p143,993 -sC -sV