IMAP - Internet Message Access Protocol
This section will cover ways to enumerate Internet Message Access Protocol (IMAP).
Table of Contents
- Overview
- Default Configuration
- Dangerous Settings
- Enumerating IMAP
- Nmap
- cURL
- OpenSSL
Overview
Internet Message Access Protocol (IMAP) makes access to emails from a mail server possible. IMAP allows online management of emails directly on the server and supports folder structures, making it a network protocol for online management of emails on a remote server.
IMAP is a client-server-based protocol and allows synchronisation of a local email client with the mailbox on the server, providing a kind of network file system for emails.
IMAP is text-based and has extended functions, such as browsing emails directly on the server. It is also possible for several users to access the email server simultaneously.
The default port that IMAP uses to establish a connection with the server is TCP port 143. For communication, it uses text-based commands in ASCII format. Several commands can be sent in succession without waiting for confirmation from the server. Once the connection is established, the user is authenticated by username and password to the server.
IMAP works unencrypted and transmits commands, emails, and usernames and password in plain text. Many email servers require establishing an encrypted IMAP session to ensure greater security. SSL/TLS is usually used for this purpose. Depending on the method and implementation used, the encrypted connection uses the standard port 143 or an alternative port such as 993.
Default Configuration
IMAP has a large number of configurations. The below table will list some IMAP commands and their description. Note that before using a command, we will need to add a tag like "a" before a command. An example will be a LOGIN user pass.
| Command | Description |
|---|---|
| LOGIN username password | User login. |
| LIST "" * | List all directories. |
| CREATE "BOX_Name" | Create a mailbox with a specific name. |
| DELETE "BOX_Name" | Deletes a mailbox. |
| RENAME "BOX_Old_Name" "BOX_New_Name" | Renames a mailbox. |
| LSUB "" * | Returns a subnet of names from the set of names that the user has declared as active or subscribed. |
| SELECT INBOX | Selects a mailbox so that messages in the mailbox can be accessed. |
| SEARCH ALL | Search for emails. |
| UNSELECT INBOX | Exits the selected mailbox. |
| CLOSE | Removes all messages with the "Deleted" flag set. |
FETCH <ID> all | Retrieves data associated with a message in the mailbox. |
| FETCH 1:1 (BODY[TEXT]) | Fetches the first email message. |
| FETCH 1:1 BODY[HEADER] | Retrieves the header of the first email in the selected mailbox. |
| LOGOUT | Close the connection with the IMAP server. |
Dangerous Settings
There are many configuration options, where if improperly configured, it can allow an attacker to obtain more information.
The below table will list some settings and their description that can be dangerous.
| Setting | Description |
|---|---|
| auth_debug | Enables all authentication debug logging. |
| auth_debug_passwords | Adjusts log verbosity, the submitted passwords and the scheme gets logged. |
| auth_verbose | Logs unsuccessful authentication attempts and their reason. |
| auth_verbose_passwords | Passwords used for authentication are logged and can also be truncated. |
| auth_anonymous_username | Specifies the username to be used when logging in with the ANONYMOUS SASL mechanism. |
Enumerating IMAP
By default, IMAP uses TCP port 143 and 993 with port 993 used for SSL/TLS to encrypt communications between the client and server. There are many tools we can use to enumerate IMAP.
Some tools are:
- Nmap
- cURL
- OpenSSL
Nmap
We can use the default scripts (-sC) and version scan (-sV) to enumerate for information.
nmap -sV -sC -p 143,993 10.42.0.1
Command breakdown:
-sV- Specify to scan the version.-sC- Specify to use the default Nmap scripts.-p 143,993- Specify to scan port 143 and 993.10.42.0.1- Specify the target IP address to scan.
cURL
We can use the following curl command to list mailboxes.
curl -k 'imaps://10.42.0.1' --user user:MyPassword
Command breakdown:
-k- Allow connection to SSL servers without a certificate.'imaps://10.42.0.1'- Specify to connect to the specified target using IMAP over a secure connection.--user user:MyPassword- Specifies the username and password to use for authentication.
We can also use the verbose (-v) option to see how the connection is established. Some information that it can provide is the version of TLS being used, further details of the SSL certificate, and the banner of the service.
curl -k 'imaps://10.42.0.1' --user user:MyPassword -v
OpenSSL
To interact with IMAP over SSL, we can use openssl and netcat.
openssl s_client -connect 10.42.0.1:imaps
Command breakdown:
s_client- Specify to use SSL/TLS.-connect 10.42.0.1:imaps- Specify the server IP address to connect to using IMAP.