πŸ’₯Cyb3rBook

143, 993 - IMAP

4 min read

PRIMARY CATEGORY β†’ PROTOCOLS AND SERVICES
RESOURCES
IMAP CommandsSee here
IMAP Protocol CommandsSee here

IMAP β†’ Internet Message Access Protocol

Ports
143 β†’ IMAP

Initiates the connection in plain text, i.e. without encryption

Standard port for IMAP connections without encryption

On this port, communication can be encrypted between client and server using the STARTTLS command

993 β†’ IMAPS

This port is used exclusively for SSL/TLS encrypted connections from the beginning of the connection

It does not allow plain text connections

IMAP Commands
CommandDescription
1 LOGIN "<USERNAME>" "<PASSWORD>"User’s login
1 LIST "" *List all directories
1 CREATE "<INBOX_NAME>Create a mailbox
1 DELETE "<INBOX_NAME>Delete a mailbox
1 RENAME "<OLD_NAME>" "<NEW_NAME>Rename a mailbox
1 SELECT "<INBOX_NAME>"Select a mailbox
1 UNSELECT "<INBOX_NAME>"Exits the selected mailbox
1 SEARCH ALLList the UID of all messages in the selected mailbox
1 FETCH <ID> <FLAGS>Retrieve data associated with a message in the selected mailbox
1 LOGOUTClose the connections with the IMAP Server

Remote Connection

Port 143
Netcat
nc <TARGET> 143
Telnet
telnet <TARGET> 143
Port 993
OpenSSL
openssl s_client -connect <TARGET>:993 -quiet 2> /dev/null
> 1 LOGIN user password
Curl

Non-Interactive

By default It runs LIST "" *

curl --silent --insecure "imaps://<TARGET>:993" --user '<USER>:<PASSWORD'

Enumeration

Netcat
nc -vn <TARGET> 143
Telnet
telnet <TARGET> 143
OpenSSL
openssl s_client -connect <TARGET>:993 -quiet 0< /dev/null 2>&0
Curl

A line starting with < means header data received by curl that is usually hidden

curl --silent --verbose --insecure "imaps://<TARGET>:933" --user '<USER>:<PASSWORD>' |& grep -iP -- '^<'

Service Interaction

OpenSSL

Interactive Session

openssl s_client -connect <TARGET>:993 2> /dev/null # Connect to IMAP Server
> 1 LOGIN "username" "password" # Auth Login
> 1 LIST "" * # List all existent mailboxes
> 1 SELECT "INBOX" # Select a specific Mailbox
> 1 SEARCH ALL # List the UID of All Messages
> 1 FETCH UID BODY[] # Extract All Content of One Message
> 1 FETCH UID:* BODY[] # Extract All Content of All Messages

The same applies for Port 143 using netcat or telnet

Curl

Non-Interactive Session

List All Mailboxes
curl --silent --insecure "imaps://<TARGET>:993" --user '<USER>:<PASSWORD>'
List the UID of All Messages in a Selected Mailbox
curl --silent --insecure "imaps://<TARGET>:993/<INBOX_NAME>?ALL" --user '<USER>:<PASSWORD>'
Extract All Data (Headers and Body) of a Specific Message

Filtered by UID

curl --silent --insecure "imaps://<TARGET>:993/<INBOX_NAME>;MAILINDEX=<MESSAGE_UID>" --user '<USER>:<PASSWORD>'
Extract All Data from all Messages in the Mailbox
  • While & Read
while IFS= read -r _uid
do
	curl --silent \
	     --insecure \
	     "imaps://<TARGET>:993/<INBOX_NAME>;MAILINDEX=$_uid" \
	     --user '<USER>:<PASSWORD>' &
done < <( 
	curl --silent \
		 --insecure \
		 "imaps://<TARGET>:993/<INBOX_NAME>?ALL" \
		 --user '<USER>:<PASSWORD>' \
		 | grep -Po -- '\b\d{1,}\b'
)
  • Mapfile & For
mapfile -t _uids < <( 
	curl --silent \
		 --insecure \
		 "imaps://<TARGET>:993/<INBOX_NAME>?ALL" \
		 --user '<USER>:<PASSWORD>' \
		 | grep -iPo -- '\b\d{1,}\b'
)

for _uid in "${_uids[@]}"
do
	curl --silent \
		 --insecure \
		 "imaps://<TARGET>:993/<INBOX_NAME>;MAILINDEX=$_uid" \
		 --user '<USER>:<PASSWORD>' &
done

Bruteforcing || Password Spraying

Hydra

Important

The format for the users on the list should be as follows β†’

<USER>@<DOMAIN>.<TLD>

THC-Hydra

Bruteforcing
  • One User ↔ Passwordlist
hydra -v -T <THREADS> -l <USERNAME> -P <PASSWDLIST> <TARGET> imap
  • Userlist β†’ Passwordlist
hydra -v -T <THREADS> -L <USERLIST> -P <PASSWORDLIST> <TARGET> imap
Password Spraying
hydra -v -T <THREADS> -L <USERLIST> -p <PASSWORD> <TARGET> imap

Graph View

Backlinks