IMAP/POP3 Pentesting Notes

Protocol Overview

Basic Information

IMAP:

  • Port: TCP 143 (default), TCP 993 (IMAPS)

  • Protocol Type: Application layer, client-server

  • Purpose: Email access and management on server

  • Security: Plain text by default, supports SSL/TLS

POP3:

  • Port: TCP 110 (default), TCP 995 (POP3S)

  • Protocol Type: Application layer, client-server

  • Purpose: Email retrieval and deletion

  • Security: Plain text by default, supports SSL/TLS

Protocol Differences

Feature
IMAP
POP3

Storage

Server-side

Client-side

Sync

Multi-device sync

Single device

Management

Full email/folder management

Basic retrieval/deletion

Connection

Persistent connection

Connect, download, disconnect

Initial Enumeration

Port Scanning

# Basic scan
nmap -p110,143,993,995 -sV <target>

# Aggressive scan
nmap -p110,143,993,995 -sV -sC -A <target>

# All related scripts
nmap -p110,143,993,995 --script imap* pop3* <target>
# IMAP
nc -nv <target> 143

# POP3
nc -nv <target> 110

# IMAPS
openssl s_client -connect <target>:993

# POP3S
openssl s_client -connect <target>:995

Authentication Testing

IMAP Authentication

# Using netcat
nc -nv <target> 143
a001 LOGIN username password

# Using openssl for IMAPS
openssl s_client -connect <target>:993
a001 LOGIN username password

# Using curl
curl -k 'imaps://<target>' --user username:password

POP3 Authentication

# Using netcat
nc -nv <target> 110
USER username
PASS password

# Using openssl for POP3S
openssl s_client -connect <target>:995
USER username
PASS password

Brute Force Attacks

Using Hydra

# IMAP
hydra -l user -P passwords.txt <target> imap
hydra -L users.txt -P passwords.txt <target> imap

# POP3
hydra -l user -P passwords.txt <target> pop3
hydra -L users.txt -P passwords.txt <target> pop3

Using Metasploit

# IMAP
use auxiliary/scanner/imap/imap_version
use auxiliary/scanner/imap/imap_login

# POP3
use auxiliary/scanner/pop3/pop3_version
use auxiliary/scanner/pop3/pop3_login

Command Reference

IMAP Commands

Command
Description
Example

LOGIN

Authenticate

a001 LOGIN user pass

LIST

List mailboxes

a002 LIST "" "*"

SELECT

Select mailbox

a003 SELECT INBOX

FETCH

Retrieve message

a004 FETCH 1 BODY[]

STORE

Modify flags

a005 STORE 1 +FLAGS (\Deleted)

EXPUNGE

Delete marked messages

a006 EXPUNGE

LOGOUT

End session

a007 LOGOUT

POP3 Commands

Command
Description
Example

USER

Set username

USER username

PASS

Set password

PASS password

STAT

Get mailbox stats

STAT

LIST

List messages

LIST

RETR

Retrieve message

RETR 1

DELE

Delete message

DELE 1

QUIT

End session

QUIT

Common NSE Scripts

# IMAP Scripts
nmap -p143,993 --script imap-capabilities <target>
nmap -p143,993 --script imap-ntlm-info <target>
nmap -p143,993 --script imap-brute <target>

# POP3 Scripts
nmap -p110,995 --script pop3-capabilities <target>
nmap -p110,995 --script pop3-ntlm-info <target>
nmap -p110,995 --script pop3-brute <target>

SSL/TLS Testing

# Test IMAPS
openssl s_client -connect <target>:993 -crlf
nmap -p993 --script ssl-enum-ciphers <target>

# Test POP3S
openssl s_client -connect <target>:995 -crlf
nmap -p995 --script ssl-enum-ciphers <target>

Configuration Files

Server Configuration

  • Dovecot: /etc/dovecot/dovecot.conf

  • Courier: /etc/courier/imapd, /etc/courier/pop3d

  • Cyrus: /etc/imapd.conf, /etc/cyrus.conf

Security Files

  • SSL Certificates: Often in /etc/ssl/certs/

  • Authentication: Various PAM or SASL configs

Common Vulnerabilities

  1. Authentication Issues:

    • Clear text transmission

    • Weak credentials

    • No rate limiting

    • Authentication bypass

  2. SSL/TLS Problems:

    • Weak ciphers

    • Outdated protocols

    • Invalid certificates

    • Missing encryption

  3. Configuration:

    • Debug logging enabled

    • Anonymous access

    • Unencrypted ports open

    • Excessive information disclosure

Post Exploitation

Information Gathering

  • Access email content

  • Extract attachments

  • Find sensitive data

  • Gather internal addresses

  • Map email relationships

Privilege Escalation

  • Check attachment permissions

  • Search for credentials

  • Test for command injection

  • Access configuration files

Response Codes

IMAP Response Codes

Code
Meaning

OK

Command completed

NO

Command failed

BAD

Invalid command

PREAUTH

Authenticated connection

BYE

Server signing off

POP3 Response Codes

Code
Meaning

+OK

Command successful

-ERR

Command failed

Best Practices for Pentesting

  1. Initial Reconnaissance:

    • Version identification

    • SSL/TLS check

    • Capability enumeration

    • Authentication methods

  2. Deep Enumeration:

    • Vulnerability scanning

    • User enumeration

    • SSL/TLS analysis

    • Configuration review

  3. Documentation:

    • Server details

    • Found vulnerabilities

    • Access methods

    • Sensitive data

  4. Risk Assessment:

    • Impact analysis

    • Data sensitivity

    • Attack vectors

    • Mitigation recommendations

Additional Tools

  1. swaks:

    swaks --to [email protected] --server <target>

  2. evolution:

    evolution --account="imap://<target>"

  3. Custom Python Scripts:

    # Basic IMAP connection
import imaplib
mail = imaplib.IMAP4("<target>")
mail.login(user, password)

  4. Misc Tools:

    • thunderbird (GUI client)

    • mutt (terminal client)

    • alpine (terminal client)

PreviousSNMP Pentesting NotesNextSMTP Pentesting Notes