LinkedInGithub
Edit

IMAP 143,993

IMAP Scanning and Enumeration - Ports 143 and 993

Internet Message Access Protocol (IMAP) is a protocol used by email clients to access and manage email messages stored on a remote mail server. IMAP allows for greater flexibility compared to POP3, as it enables multiple devices to access the same mailbox and synchronize the messages. Port 143 is used for unencrypted IMAP communication, while port 993 is used for IMAP over SSL/TLS.

IMAP Overview:

  • Default Port: 143 (unencrypted), 993 (encrypted via SSL/TLS)

  • Protocol: IMAP enables the management of email folders, and clients can interact with multiple folders (e.g., Inbox, Sent, Drafts) and retrieve messages without downloading them locally.

Enumeration Techniques:

  1. Banner Grabbing:

    • Use nc (Netcat) or nmap to grab the IMAP service banner and identify the server version. Example:

      nc -vn <IP> 143
nc -vn <IP> 993  # For encrypted IMAP
nmap -sV -p 143,993 <IP>  # Service version detection

  2. Service Version Detection:

    • Use nmap to detect the version of the IMAP service running on ports 143 or 993 and gather additional information. Example:

      sudo nmap -sV -p 143,993 <IP>

  3. Enumerating IMAP Users:

    • Use telnet or nc to connect to the IMAP server and attempt user enumeration. Example with telnet:

      telnet <IP> 143
a001 LOGIN <username> <password>  # Attempt to login with a specific username and password

    • The response from the server may reveal whether the username exists.

  4. IMAP Commands:

    • The IMAP protocol uses specific commands to interact with the mail server. Common commands include LOGIN, SELECT, LIST, and FETCH. Example:

      telnet <IP> 143
a001 LOGIN <username> <password>  # Login to the server
a002 LIST "" "*"  # List all mailboxes/folders
a003 SELECT INBOX  # Select the inbox folder
a004 FETCH 1:* (FLAGS)  # Fetch flags for messages

  5. Anonymous Login (if supported):

    • Some IMAP servers may allow anonymous access. Test for this by trying to log in with an empty username or a known default username. Example:

      telnet <IP> 143
a001 LOGIN anonymous ""  # Attempt to log in with an anonymous username

  6. Brute Force (if necessary):

    • Brute force attacks can be conducted against IMAP login credentials. Tools such as hydra or medusa can be used to automate this process. Example:

      hydra -l <username> -P <password-list> imap://<IP>

  7. SSL/TLS Connection:

    • For encrypted IMAP (port 993), you may need to establish a connection using SSL/TLS to communicate securely with the server. Tools such as openssl or nmap can help with this. Example:

      openssl s_client -connect <IP>:993
nmap --script imap-capabilities -p 993 <IP>

Automated Enumeration with Nmap:

Use Nmap scripts to automate IMAP enumeration and vulnerability checks.

nmap --script imap* -p 143,993 <IP>
PreviousFTP 21NextIPMI 623

Last updated