Pentesting Internet Message Access Protocol (IMAP)
Internet Message Access Protocol (IMAP) is a mail protocol that allows multiple clients to synchronously retrieve emails from a mail server. Designed by Mark Reed Crispin in 1986, it metamorphosed through IMAP2, IMAP3, and currently IMAP4 introduced in 1994. Unlike its counterpart, POP3, IMAP effectively solved the problem of a one off access to mails with the features to sync mails across devices, and manage the mailboxes.
IMAP runs on unsecured TCP port 143 or secured TCP port 993 . On the wire, here is how an IMAP Communication traffic looks.
1
2
3
4
5
6
7
8
# on terminal onesudo tcpdump -Uni $INTERFACE tcp port 143 or 993# unbuffered FTP capture filter# on terminal twoopenssl s_client -connect $IP:143 -starttls imap -crlf -quiet # open and upgrade connection to serverc login $USERNAME$PASSWORD# loginc list """*"# list mailboxesc logout# terminate the session
Common Server Application
Unix systems
Dovecot
Courier IMAP
Cyrus IMAP
Citadel
Windows systems
MailEnable
Kerio Connect
Microsoft Exchange Server
Zimbra
Common Commands
COMMAND
USAGE
DESCRIPTION
CAPABILITY
CAPABILITY
list supported commands
CLOSE
CLOSE
close current mailbox operated
CREATE
CREATE $MAILBOXNAME
create a new mailbox with the specified name
DELETE
DELETE $MAILBOXNAME
move specified mailbox to trash
EXAMINE
EXAMINE $MAILBOX_NAME
same as SELECT but in read-only mode
LIST
LIST $REFERENCE $MAILBOX
list specified mailbox, use empty string as reference and glob for listing all mailbox
Enable strong password policies and two-factor authentication for user accounts.
Exploitation Encountering an IMAP service also leaves the hunch to hunt for sensitive credentials. Some library like the php-imap has facilitated remote code execution in the past. Nevertheless, an attacker’s inclination would be:
Whether they are able to retrieve sensitive information.
## SERVICE ENUMERATION ## # with nmapls /usr/share/nmap/scripts/imap* # list nmap imap scripts'SNIP
/usr/share/nmap/scripts/imap-brute.nse
/usr/share/nmap/scripts/imap-capabilities.nse
/usr/share/nmap/scripts/imap-ntlm-info.nse
'nmap -p 143,993 -sV $IP# run a version scan nmap -p 143,993 --script imap-capabilities $IP# show capabilities # with telnettelnet $IP$PORT# show banner# with metasploitmsfconsole -q
search scanner name:imap
use auxiliary/scanner/imap/imap_version
set rhosts $IPexploit
## CREDENTIAL ENUMERATION ### with nmapnmap -p 143,993 --script imap-ntlm-info $IP# show the NLTM hash# with hydrahydra -t 10 -L $USERNAMELIST -P $PASSWORDLIST -s 143$IP imap -V # find credentialshydra -S -t 20 -l $USERNAME -P $PASSWORDLIST -s 993$IP imaps -V # find credentials via SSL# with medusamedusa -t 2 -u $USERNAME -P $PASSWORDLIST -e s -n 993 -s -M imap -h $IP -O $OUTPUT_FOLDER# find credentials via SSL/TLS (-s: use seucre port)## PATH ENUMERATION ### with curlcurl -sk --user $USERNAME:$PASSWORD'imaps://$IP'# list all mailboxescurl -sk --user $USERNAME:$PASSWORD'imaps://$IP/$MAILBOX?ALL'# list the mailbox message indexcurl -sk --user $USERNAME:$PASSWORD'imaps://$IP/$MAILBOX;MAILINDEX=$MAILINDEX'# show content of specified mail index## HOST ENUMERATION/FOOTPRINTING ### with ncnc -n --ssl $IP993# connect to server via SSL/TLS# with opensslopenssl s_client -connect $IP:143 -starttls imap -crlf -quiet
openssl s_client -connect $IP:993 -crlf -quiet
c login $USERNAME$PASSWORD# loginc list """*"# list mailboxesc select$MAILBOX# case-sensitive mailbox namec search all # list all mail indexesc fetch 1 body[]# read content of specified mail indexc close # close the selected mailboxc logout# terminate the session