IMAP

Source CTF and HTB Academy

Usually on port 143, 993

With the help of the Internet Message Access Protocol (IMAP), access to emails from a mail server is possible. IMAP allows online management of emails directly on the server and supports folder structures. Thus, it is a network protocol for the online management of emails on a remote server. The protocol is client-server-based and allows synchronization of a local email client with the mailbox on the server, providing a kind of network file system for emails, allowing problem-free synchronization across several independent clients.

Commands

Command Description

Command	Description
`1 LOGIN username password`	User's login.
`1 LIST "" *`	Lists all directories.
`1 CREATE "INBOX"`	Creates a mailbox with a specified name.
`1 DELETE "INBOX"`	Deletes a mailbox.
`1 RENAME "ToRead" "Important"`	Renames a mailbox.
`1 LSUB "" *`	Returns a subset of names from the set of names that the User has declared as being active or subscribed.
`1 SELECT INBOX`	Selects a mailbox so that messages in the mailbox can be accessed.
`1 UNSELECT INBOX`	Exits the selected mailbox.
`1 FETCH <ID> all`	Retrieves data associated with a message in the mailbox.
`1 FETCH <ID> body[text]`	Prints the body and text of the message which id is specified
`1 CLOSE`	Removes all messages with the Deleted flag set.
`1 LOGOUT`	Closes the connection with the IMAP server.

1 LOGIN username password

User's login.

1 LIST "" *

Lists all directories.

1 CREATE "INBOX"

Creates a mailbox with a specified name.

1 DELETE "INBOX"

Deletes a mailbox.

1 RENAME "ToRead" "Important"

Renames a mailbox.

1 LSUB "" *

Returns a subset of names from the set of names that the User has declared as being active or subscribed.

1 SELECT INBOX

Selects a mailbox so that messages in the mailbox can be accessed.

1 UNSELECT INBOX

Exits the selected mailbox.

1 FETCH <ID> all

Retrieves data associated with a message in the mailbox.

1 FETCH <ID> body[text]

Prints the body and text of the message which id is specified

1 CLOSE

Removes all messages with the Deleted flag set.

1 LOGOUT

Closes the connection with the IMAP server.

Dangerous Settings

Setting Description

Setting	Description
`auth_debug`	Enables all authentication debug logging.
`auth_debug_passwords`	This setting adjusts log verbosity, the submitted passwords, and the scheme gets logged.
`auth_verbose`	Logs unsuccessful authentication attempts and their reasons.
`auth_verbose_passwords`	Passwords used for authentication are logged and can also be truncated.
`auth_anonymous_username`	This specifies the username to be used when logging in with the ANONYMOUS SASL mechanism.

auth_debug

Enables all authentication debug logging.

auth_debug_passwords

This setting adjusts log verbosity, the submitted passwords, and the scheme gets logged.

auth_verbose

Logs unsuccessful authentication attempts and their reasons.

auth_verbose_passwords

Passwords used for authentication are logged and can also be truncated.

auth_anonymous_username

This specifies the username to be used when logging in with the ANONYMOUS SASL mechanism.

Enumeration

nc -nv TARGET-IP 143
sudo nmap 10.129.14.128 -sV -p143,993 -sC
curl -k 'imaps://10.129.14.128' --user user:p4ssw0rd
curl -k 'imaps://10.129.14.128' --user cry0l1t3:1234 -v
openssl s_client -connect 10.129.14.128:imaps

Resources

PreviousHTTP & HTTPS NextIPMI

Last updated 1 year ago