IMAP (Internet Message Access Protocol)
Default Ports: 143, 993
IMAP (Internet Message Access Protocol) is a protocol used by email clients to retrieve messages from a mail server over a TCP/IP connection. Unlike POP3, which downloads messages to the client device, IMAP allows users to view and manipulate messages without downloading them, providing more flexibility and functionality.
IMAP operates on a client-server model, where the email client connects to the server and interacts with it to manage email messages.
Connect
Connect Using Telnet
You can connect to an IMAP server using Telnet by following these steps:
- Open a terminal window.
- Type the following command:
telnet <server-ip> <port>
- Once connected, you can interact with the IMAP server by typing commands directly into the Telnet session.
Connect Using Email Clients
Popular email clients like Outlook, Thunderbird, and Apple Mail support IMAP for retrieving email messages. To connect to an IMAP server using an email client, you typically need to provide the server address, port number, username, and password.
Recon
Identifying an IMAP Server
You can use Nmap
to scan for open IMAP ports on a target host:
nmap -p 143,993 <target-ip>
Banner Grabbing
You can use Telnet to connect to the IMAP server and observe the banner message to determine the server software and version:
telnet <server-ip> <port>
Enumeration
Enumerating Mailboxes
Once connected to the IMAP server, you can list available mailboxes using the LIST
command:
LIST "" *
Enumerating Email Headers
You can retrieve email headers from a specific mailbox using the FETCH
command:
FETCH 1 BODY[HEADER.FIELDS (FROM TO SUBJECT DATE)]
Attack Vectors
Brute Force Attacks
Brute force attacks can be attempted against IMAP servers to guess usernames and passwords. Tools like Hydra and Nmap can be used for this purpose.
Hydra Example
hydra -L users.txt -P passwords.txt imap://<server-ip>
Nmap Example
nmap --script imap-brute -p 143,993 <target-ip>
IMAP Injection
IMAP injection attacks involve injecting malicious commands or data into IMAP requests to exploit vulnerabilities in the server software or gain unauthorized access to email accounts.
Man-in-the-Middle (MitM) Attacks
MitM attacks on IMAP traffic can intercept and modify email messages exchanged between the client and server, compromising the confidentiality and integrity of email communication.
Post-Exploitation
Email Extraction
After gaining access to an email account via IMAP, attackers can extract sensitive information such as passwords, financial data, or confidential documents from the compromised mailbox.
Email Manipulation
Attackers can manipulate email messages in various ways, including deleting, forwarding, or modifying existing messages, to achieve their objectives.
Email Forwarding
Attackers can set up email forwarding rules to automatically forward incoming messages from the compromised account to an external email address controlled by them, allowing them to monitor communications and steal sensitive information.