PRIMARY CATEGORY → PROTOCOLS AND SERVICES
IMAP → Internet Message Access Protocol
Ports
- 143 → IMAP
Initiates the connection in plain text, i.e. without encryption
Standard port for IMAP connections without encryption
On this port, communication can be encrypted between client and server using the STARTTLS command
- 993 → IMAPS
This port is used exclusively for SSL/TLS encrypted connections from the beginning of the connection
It does not allow plain text connections
IMAP Commands
| Command | Description |
|---|---|
1 LOGIN "<USERNAME>" "<PASSWORD>" | User’s login |
1 LIST "" * | List all directories |
1 CREATE "<INBOX_NAME> | Create a mailbox |
1 DELETE "<INBOX_NAME> | Delete a mailbox |
1 RENAME "<OLD_NAME>" "<NEW_NAME> | Rename a mailbox |
1 SELECT "<INBOX_NAME>" | Select a mailbox |
1 UNSELECT "<INBOX_NAME>" | Exits the selected mailbox |
1 SEARCH ALL | List the UID of all messages in the selected mailbox |
1 FETCH <ID> <FLAGS> | Retrieve data associated with a message in the selected mailbox |
1 LOGOUT | Close the connections with the IMAP Server |
Enumeration
IMAP Clients
- Port 143
Netcat
nc <TARGET> 143Telnet
telnet <TARGET> 143- Port 993
OpenSSL
openssl s_client -connect <TARGET>:993 -quiet 2> /dev/null
> 1 LOGIN user passwordCurl
Non-Interactive
By default It runs
LIST "" *
curl --silent --insecure "imaps://<TARGET>:993" --user '<USER>:<PASSWORD'Banner Grabbing
Netcat
nc -vn <TARGET> 143Telnet
telnet <TARGET> 143Info
Both
netcatandtelnetonly support plain text connections. Therefore, Banner Grabbing can be performed by these tools only for 143 Port
OpenSSL
openssl s_client -connect <TARGET>:993 -quiet 0< /dev/null 2>&0Curl
A line starting with
<means header data received by curl that is usually hidden
curl --silent --verbose --insecure "imaps://<TARGET>:933" --user '<USER>:<PASSWORD>' |& grep -iP -- '^<'Service Interaction
OpenSSL
Interactive Session
openssl s_client -connect <TARGET>:993 2> /dev/null # Connect to IMAP Server
> 1 LOGIN "username" "password" # Auth Login
> 1 LIST "" * # List all existent mailboxes
> 1 SELECT "INBOX" # Select a specific Mailbox
> 1 SEARCH ALL # List the UID of All Messages
> 1 FETCH UID BODY[] # Extract All Content of One Message
> 1 FETCH UID:* BODY[] # Extract All Content of All MessagesThe same applies for Port 143 using
netcatortelnet
Curl
Non-Interactive Session
List All Mailboxes
curl --silent --insecure "imaps://<TARGET>:993" --user '<USER>:<PASSWORD>'List the UID of All Messages in a Selected Mailbox
curl --silent --insecure "imaps://<TARGET>:993/<INBOX_NAME>?ALL" --user '<USER>:<PASSWORD>'Extract All Data (Headers and Body) of a Specific Message
Filtered by UID
curl --silent --insecure "imaps://<TARGET>:993/<INBOX_NAME>;MAILINDEX=<MESSAGE_UID>" --user '<USER>:<PASSWORD>'Extract All Data from all Messages in the Mailbox
- While & Read
CAUTION
The use of
&can saturate the server due to paralellism and cause you to be blocked due to Fail2ban or other security solutions
while IFS= read -r _uid
do
curl --silent \
--insecure \
"imaps://<TARGET>:993/<INBOX_NAME>;MAILINDEX=$_uid" \
--user '<USER>:<PASSWORD>' &
done < <(
curl --silent \
--insecure \
"imaps://<TARGET>:993/<INBOX_NAME>?ALL" \
--user '<USER>:<PASSWORD>' \
| grep -Po -- '\b\d{1,}\b'
)Oneliner
while IFS= read -r _uid ; do curl --silent --insecure "imaps://TARGET:993/INBOX_NAME;MAILINDEX=$_uid" --user 'USER:PASSWORD' ; done < <( curl --silent --insecure "imaps://TARGET:993/INBOX_NAME?ALL" --user 'USER:PASSWORD' | grep -iPo -- '\b\d{1,}\b' )
- Mapfile & For
mapfile -t _uids < <(
curl --silent \
--insecure \
"imaps://<TARGET>:993/<INBOX_NAME>?ALL" \
--user '<USER>:<PASSWORD>' \
| grep -iPo -- '\b\d{1,}\b'
)Oneliner
mapfile -t _uids < <( curl --silent --insecure "imaps://TARGET:993/INBOX_NAME?ALL" --user 'USER:PASSWORD' | grep -iPo -- '\b\d{1,}\b' )
for _uid in "${_uids[@]}"
do
curl --silent \
--insecure \
"imaps://<TARGET>:993/<INBOX_NAME>;MAILINDEX=$_uid" \
--user '<USER>:<PASSWORD>' &
doneOneliner
for _uid in "${_uids[@]}" ; do curl --silent --insecure "imaps://TARGET:993/INBOX_NAME;MAILINDEX=$_uid" --user 'USER:PASSWORD' ; done