IMAP - Port 143, 993
Become VeryLazyTech member! π
Follow us on:
β Twitter @VeryLazyTech.
πΎ Github @VeryLazyTech.
π Medium @VeryLazyTech.
πΊ YouTube @VeryLazyTech.
π© Telegram @VeryLazyTech.
π΅οΈββοΈ My Site @VeryLazyTech.
Visit our shop for e-books and courses. π
Basic info
The Internet Message Access Protocol (IMAP) is a standard protocol for accessing and managing email on remote servers. Widely used in enterprise environments, it facilitates seamless email synchronization across devices. IMAP primarily operates over ports 143 (unencrypted) and 993 (encrypted). As a penetration tester, understanding IMAP's vulnerabilities is crucial, as improperly configured servers or weak authentication mechanisms can expose sensitive information or allow unauthorized access.
This guide provides an in-depth, technical approach to pentesting IMAP, covering reconnaissance, exploitation techniques, and practical tools for ethical hackers.
IMAP Overview
IMAP is designed to allow email clients to interact with email servers without downloading emails locally. Its primary features include:
Port 143: Used for unencrypted communication, exposing data to potential interception.
Port 993: Used for encrypted IMAP traffic via SSL/TLS, offering better security.
However, even encrypted IMAP traffic can be vulnerable to misconfigurations, weak authentication mechanisms, or software vulnerabilities.
Banner Grabbing
Banner grabbing is the first step to gathering information about the IMAP server. It involves connecting to the server and extracting banners that reveal server software, version, and potential vulnerabilities.
Tools and Commands:
Netcat:
nc -nv <IP> 143
OpenSSL for encrypted connections:
openssl s_client -connect <IP>:993 -crlf -quiet
Analysis:
The banner can reveal the IMAP server software (e.g., Dovecot, Cyrus), its version, and supported features like STARTTLS
or AUTH=PLAIN
, which can be leveraged during exploitation.
NTLM Authentication Information Disclosure
IMAP servers often support NTLM authentication, which can inadvertently leak sensitive information during communication. Attackers can exploit this to capture NTLM hashes and perform offline cracking.
Using Responder: Configure Responder to intercept NTLM authentication attempts:
sudo responder -I <interface> -rdwv
Initiate an NTLM Challenge-Response: Exploit IMAPβs NTLM authentication mechanism to capture hashes.
Extract and Crack Hashes: Use John the Ripper or Hashcat to crack captured hashes.
hashcat -m 5600 ntlmhash.txt rockyou.txt
IMAP Brute Force Attacks
Brute forcing is a common technique to test the strength of IMAP credentials.
Hydra:
hydra -L usernames.txt -P passwords.txt imap://<IP>
Medusa:
medusa -h <IP> -u <username> -P passwords.txt -M imap
Nmap NSE Script:
nmap --script imap-brute -p 143 <IP>
IMAP Syntax and Commands
Understanding IMAPβs syntax allows you to interact with the server manually and probe for weaknesses.
LOGIN: Authenticate a user.
a LOGIN username password
LIST: Retrieve available mailboxes.
a LIST "" "*"
SELECT: Access a specific mailbox.
a SELECT INBOX
SEARCH: Search emails based on criteria.
a SEARCH ALL
FETCH: Retrieve email content.
a FETCH 1 BODY[TEXT]
Using openssl s_client
to issue commands over an encrypted session:
openssl s_client -connect <IP>:993
Then input IMAP commands manually:
. LOGIN user@example.com password
. LIST "" "*"
Basic navigation is possible with CURL, but the documentation is light on details so checking the source is recommended for precise details.
Listing mailboxes (imap command LIST "" "*"
)
curl -k 'imaps://1.2.3.4/' --user user:pass
Listing messages in a mailbox (imap command SELECT INBOX
and then SEARCH ALL
)
curl -k 'imaps://1.2.3.4/INBOX?ALL' --user user:pass
The result of this search is a list of message indicies.
Its also possible to provide more complex search terms. e.g. searching for drafts with password in mail body:
curl -k 'imaps://1.2.3.4/Drafts?TEXT password' --user user:pass
A nice overview of the search terms possible is located here.
Downloading a message (imap command SELECT Drafts
and then FETCH 1 BODY[]
)
curl -k 'imaps://1.2.3.4/Drafts;MAILINDEX=1' --user user:pass
The mail index will be the same index returned from the search operation.
It is also possible to use UID
(unique id) to access messages, however it is less conveniant as the search command needs to be manually formatted. E.g.
curl -k 'imaps://1.2.3.4/INBOX' -X 'UID SEARCH ALL' --user user:pass
curl -k 'imaps://1.2.3.4/INBOX;UID=1' --user user:pass
Also, possible to download just parts of a message, e.g. subject and sender of first 5 messages (the -v
is required to see the subject and sender):
$ curl -k 'imaps://1.2.3.4/INBOX' -X 'FETCH 1:5 BODY[HEADER.FIELDS (SUBJECT FROM)]' --user user:pass -v 2>&1 | grep '^<'
Although, its probably cleaner to just write a little for loop:
for m in {1..5}; do
echo $m
curl "imap://1.2.3.4/INBOX;MAILINDEX=$m;SECTION=HEADER.FIELDS%20(SUBJECT%20FROM)" --user user:pass
done
Shodan:
Search for exposed IMAP servers:
port:143 "IMAP" OR port:993 "IMAP"
Known Vulnerabilities and CVEs
CVE-2019-3560: Dovecot NTLM authentication buffer overflow.
Exploitable via malformed NTLM packets.
CVE-2020-12675: Improper IMAP command handling in Cyrus IMAP.
Allows remote attackers to crash the server.
CVE-2022-23008: IMAP STARTTLS downgrade vulnerability.
Allows interception of plaintext credentials.
Legacy IMAP Servers:
Exploit STARTTLS Downgrade: Capture plaintext credentials:
openssl s_client -connect <IP>:143 -starttls imap
Buffer Overflow in NTLM Authentication: Trigger using a crafted payload with Metasploit.
msfconsole use exploit/windows/imap/dovecot_ntlm_overflow
Learn & practice For the OSCP.
Last updated
Was this helpful?