# IMAP/POP3 Pentesting Notes

## Protocol Overview

### Basic Information

**IMAP**:

* **Port**: TCP 143 (default), TCP 993 (IMAPS)
* **Protocol Type**: Application layer, client-server
* **Purpose**: Email access and management on server
* **Security**: Plain text by default, supports SSL/TLS

**POP3**:

* **Port**: TCP 110 (default), TCP 995 (POP3S)
* **Protocol Type**: Application layer, client-server
* **Purpose**: Email retrieval and deletion
* **Security**: Plain text by default, supports SSL/TLS

### Protocol Differences

| Feature    | IMAP                         | POP3                          |
| ---------- | ---------------------------- | ----------------------------- |
| Storage    | Server-side                  | Client-side                   |
| Sync       | Multi-device sync            | Single device                 |
| Management | Full email/folder management | Basic retrieval/deletion      |
| Connection | Persistent connection        | Connect, download, disconnect |

## Initial Enumeration

### Port Scanning

```bash
# Basic scan
nmap -p110,143,993,995 -sV <target>

# Aggressive scan
nmap -p110,143,993,995 -sV -sC -A <target>

# All related scripts
nmap -p110,143,993,995 --script imap* pop3* <target>
```

### Banner Grabbing

```bash
# IMAP
nc -nv <target> 143

# POP3
nc -nv <target> 110

# IMAPS
openssl s_client -connect <target>:993

# POP3S
openssl s_client -connect <target>:995
```

## Authentication Testing

### IMAP Authentication

```bash
# Using netcat
nc -nv <target> 143
a001 LOGIN username password

# Using openssl for IMAPS
openssl s_client -connect <target>:993
a001 LOGIN username password

# Using curl
curl -k 'imaps://<target>' --user username:password
```

### POP3 Authentication

```bash
# Using netcat
nc -nv <target> 110
USER username
PASS password

# Using openssl for POP3S
openssl s_client -connect <target>:995
USER username
PASS password
```

## Brute Force Attacks

### Using Hydra

```bash
# IMAP
hydra -l user -P passwords.txt <target> imap
hydra -L users.txt -P passwords.txt <target> imap

# POP3
hydra -l user -P passwords.txt <target> pop3
hydra -L users.txt -P passwords.txt <target> pop3
```

### Using Metasploit

```bash
# IMAP
use auxiliary/scanner/imap/imap_version
use auxiliary/scanner/imap/imap_login

# POP3
use auxiliary/scanner/pop3/pop3_version
use auxiliary/scanner/pop3/pop3_login
```

## Command Reference

### IMAP Commands

| Command | Description            | Example                          |
| ------- | ---------------------- | -------------------------------- |
| LOGIN   | Authenticate           | `a001 LOGIN user pass`           |
| LIST    | List mailboxes         | `a002 LIST "" "*"`               |
| SELECT  | Select mailbox         | `a003 SELECT INBOX`              |
| FETCH   | Retrieve message       | `a004 FETCH 1 BODY[]`            |
| STORE   | Modify flags           | `a005 STORE 1 +FLAGS (\Deleted)` |
| EXPUNGE | Delete marked messages | `a006 EXPUNGE`                   |
| LOGOUT  | End session            | `a007 LOGOUT`                    |

### POP3 Commands

| Command | Description       | Example         |
| ------- | ----------------- | --------------- |
| USER    | Set username      | `USER username` |
| PASS    | Set password      | `PASS password` |
| STAT    | Get mailbox stats | `STAT`          |
| LIST    | List messages     | `LIST`          |
| RETR    | Retrieve message  | `RETR 1`        |
| DELE    | Delete message    | `DELE 1`        |
| QUIT    | End session       | `QUIT`          |

## Common NSE Scripts

```bash
# IMAP Scripts
nmap -p143,993 --script imap-capabilities <target>
nmap -p143,993 --script imap-ntlm-info <target>
nmap -p143,993 --script imap-brute <target>

# POP3 Scripts
nmap -p110,995 --script pop3-capabilities <target>
nmap -p110,995 --script pop3-ntlm-info <target>
nmap -p110,995 --script pop3-brute <target>
```

## SSL/TLS Testing

```bash
# Test IMAPS
openssl s_client -connect <target>:993 -crlf
nmap -p993 --script ssl-enum-ciphers <target>

# Test POP3S
openssl s_client -connect <target>:995 -crlf
nmap -p995 --script ssl-enum-ciphers <target>
```

## Configuration Files

### Server Configuration

* **Dovecot**: `/etc/dovecot/dovecot.conf`
* **Courier**: `/etc/courier/imapd`, `/etc/courier/pop3d`
* **Cyrus**: `/etc/imapd.conf`, `/etc/cyrus.conf`

### Security Files

* **SSL Certificates**: Often in `/etc/ssl/certs/`
* **Authentication**: Various PAM or SASL configs

## Common Vulnerabilities

1. **Authentication Issues**:
   * Clear text transmission
   * Weak credentials
   * No rate limiting
   * Authentication bypass
2. **SSL/TLS Problems**:
   * Weak ciphers
   * Outdated protocols
   * Invalid certificates
   * Missing encryption
3. **Configuration**:
   * Debug logging enabled
   * Anonymous access
   * Unencrypted ports open
   * Excessive information disclosure

## Post Exploitation

### Information Gathering

* Access email content
* Extract attachments
* Find sensitive data
* Gather internal addresses
* Map email relationships

### Privilege Escalation

* Check attachment permissions
* Search for credentials
* Test for command injection
* Access configuration files

## Response Codes

### IMAP Response Codes

| Code    | Meaning                  |
| ------- | ------------------------ |
| OK      | Command completed        |
| NO      | Command failed           |
| BAD     | Invalid command          |
| PREAUTH | Authenticated connection |
| BYE     | Server signing off       |

### POP3 Response Codes

| Code | Meaning            |
| ---- | ------------------ |
| +OK  | Command successful |
| -ERR | Command failed     |

## Best Practices for Pentesting

1. **Initial Reconnaissance**:
   * Version identification
   * SSL/TLS check
   * Capability enumeration
   * Authentication methods
2. **Deep Enumeration**:
   * Vulnerability scanning
   * User enumeration
   * SSL/TLS analysis
   * Configuration review
3. **Documentation**:
   * Server details
   * Found vulnerabilities
   * Access methods
   * Sensitive data
4. **Risk Assessment**:
   * Impact analysis
   * Data sensitivity
   * Attack vectors
   * Mitigation recommendations

## Additional Tools

1. **swaks**:

   ```bash
   swaks --to user@domain.com --server <target>
   ```
2. **evolution**:

   ```bash
   evolution --account="imap://<target>"
   ```
3. **Custom Python Scripts**:

   ```python
   # Basic IMAP connection
   import imaplib
   mail = imaplib.IMAP4("<target>")
   mail.login(user, password)
   ```
4. **Misc Tools**:
   * thunderbird (GUI client)
   * mutt (terminal client)
   * alpine (terminal client)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://edu.noirchapeau.com/footprinting-enumeration-and-information-gathering-notes/imap-pop3-pentesting-notes.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.