DevSecOps
Home About Writings Talks Life
DevSecOps

Pentesting Internet Message Access Protocol (IMAP)

Internet Message Access Protocol (IMAP) is a mail protocol that allows multiple clients to synchronously retrieve emails from a mail server. Designed by Mark Reed Crispin in 1986, it metamorphosed through IMAP2, IMAP3, and currently IMAP4 introduced in 1994. Unlike its counterpart, POP3, IMAP effectively solved the problem of a one off access to mails with the features to sync mails across devices, and manage the mailboxes.

/images/smtp/00_smtp-pop-imap-communication.png
SMTP/POP/IMAP Communication

IMAP runs on unsecured TCP port 143 or secured TCP port 993 . On the wire, here is how an IMAP Communication traffic looks.

1
2
3
4
5
6
7
8

# on terminal one
sudo tcpdump -Uni $INTERFACE tcp port 143 or 993    # unbuffered FTP capture filter

# on terminal two
openssl s_client -connect $IP:143 -starttls imap -crlf -quiet    # open and upgrade connection to server
c login $USERNAME $PASSWORD    # login
c list "" "*"    # list mailboxes
c logout    # terminate the session

/images/imap/00_imap-traffic.png
IMAPs Traffic

Common Server Application

  • Unix systems
    • Dovecot
    • Courier IMAP
    • Cyrus IMAP
    • Citadel
  • Windows systems
    • MailEnable
    • Kerio Connect
    • Microsoft Exchange Server
    • Zimbra

Common Commands

COMMANDUSAGEDESCRIPTION
CAPABILITYCAPABILITYlist supported commands
CLOSECLOSEclose current mailbox operated
CREATECREATE $MAILBOXNAMEcreate a new mailbox with the specified name
DELETEDELETE $MAILBOXNAMEmove specified mailbox to trash
EXAMINEEXAMINE $MAILBOX_NAMEsame as SELECT but in read-only mode
LISTLIST $REFERENCE $MAILBOXlist specified mailbox, use empty string as reference and glob for listing all mailbox
LOGINLOGIN $USERNAME $PASSWORDauthenticate with the server
LOGOUTLOGOUTexit an IMAP session
LSUBLSUB $REFERENCE $MAILBOXlist mailboxes subscribed to
NOOPNOOPping server for liveliness
RENAMERENAME $OLDNAME $NEWNAMErename a mailbox
SELECTSELECT $MAILBOXNAMEselect a mailbox for subsquent operations
UNSELECTUNSELECT $MAILBOXNAMEunmark previously selected mailbox

Common Vulnerability

  • Improper Input Validation: CWE-20
  • Sensitive Information in Error Message: CWE-209
  • Resource Exhaustion: CWE-400

Security Best Practices

  • Deploy a TLS IMAP for encrypted communication.
  • Enable strong password policies and two-factor authentication for user accounts.

Exploitation
Encountering an IMAP service also leaves the hunch to hunt for sensitive credentials. Some library like the php-imap has facilitated remote code execution in the past. Nevertheless, an attacker’s inclination would be:

  • Whether they are able to retrieve sensitive information.
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52

## SERVICE ENUMERATION ## 
# with nmap
ls /usr/share/nmap/scripts/imap*    # list nmap imap scripts
'SNIP
/usr/share/nmap/scripts/imap-brute.nse
/usr/share/nmap/scripts/imap-capabilities.nse
/usr/share/nmap/scripts/imap-ntlm-info.nse
'
nmap -p 143,993 -sV $IP   # run a version scan 
nmap -p 143,993 --script imap-capabilities $IP   # show capabilities 

# with telnet
telnet $IP $PORT    # show banner

# with metasploit
msfconsole -q
search scanner name:imap
use auxiliary/scanner/imap/imap_version
set rhosts $IP
exploit 

## CREDENTIAL ENUMERATION ##
# with nmap
nmap -p 143,993 --script imap-ntlm-info $IP   # show the NLTM hash

# with hydra
hydra -t 10 -L $USERNAMELIST -P $PASSWORDLIST -s 143 $IP imap -V    # find credentials
hydra -S -t 20 -l $USERNAME -P $PASSWORDLIST -s 993 $IP imaps -V    # find credentials via SSL

# with medusa
medusa -t 2 -u $USERNAME -P $PASSWORDLIST -e s -n 993 -s -M imap -h $IP -O $OUTPUT_FOLDER    # find credentials via SSL/TLS (-s: use seucre port)

## PATH ENUMERATION ##
# with curl
curl -sk --user $USERNAME:$PASSWORD 'imaps://$IP'   # list all mailboxes
curl -sk --user $USERNAME:$PASSWORD 'imaps://$IP/$MAILBOX?ALL' # list the mailbox message index
curl -sk --user $USERNAME:$PASSWORD 'imaps://$IP/$MAILBOX;MAILINDEX=$MAILINDEX' # show content of specified mail index

## HOST ENUMERATION/FOOTPRINTING ##
# with nc
nc -n --ssl $IP 993  # connect to server via SSL/TLS

# with openssl
openssl s_client -connect $IP:143 -starttls imap -crlf -quiet  
openssl s_client -connect $IP:993 -crlf -quiet
c login $USERNAME $PASSWORD    # login
c list "" "*"    # list mailboxes
c select $MAILBOX    # case-sensitive mailbox name
c search all    # list all mail indexes
c fetch 1 body[]    # read content of specified mail index
c close    # close the selected mailbox
c logout    # terminate the session

References