IMAP/POP3 Pentesting Notes

Protocol Overview

Basic Information

IMAP:

• Port: TCP 143 (default), TCP 993 (IMAPS)

• Protocol Type: Application layer, client-server

• Purpose: Email access and management on server

• Security: Plain text by default, supports SSL/TLS

POP3:

• Port: TCP 110 (default), TCP 995 (POP3S)

• Protocol Type: Application layer, client-server

• Purpose: Email retrieval and deletion

• Security: Plain text by default, supports SSL/TLS

Protocol Differences

Initial Enumeration

Port Scanning

# Basic scan
nmap -p110,143,993,995 -sV <target>

# Aggressive scan
nmap -p110,143,993,995 -sV -sC -A <target>

# All related scripts
nmap -p110,143,993,995 --script imap* pop3* <target>

Banner Grabbing

# IMAP
nc -nv <target> 143

# POP3
nc -nv <target> 110

# IMAPS
openssl s_client -connect <target>:993

# POP3S
openssl s_client -connect <target>:995

Authentication Testing

IMAP Authentication

# Using netcat
nc -nv <target> 143
a001 LOGIN username password

# Using openssl for IMAPS
openssl s_client -connect <target>:993
a001 LOGIN username password

# Using curl
curl -k 'imaps://<target>' --user username:password

POP3 Authentication

# Using netcat
nc -nv <target> 110
USER username
PASS password

# Using openssl for POP3S
openssl s_client -connect <target>:995
USER username
PASS password

Brute Force Attacks

Using Hydra

# IMAP
hydra -l user -P passwords.txt <target> imap
hydra -L users.txt -P passwords.txt <target> imap

# POP3
hydra -l user -P passwords.txt <target> pop3
hydra -L users.txt -P passwords.txt <target> pop3

Using Metasploit

# IMAP
use auxiliary/scanner/imap/imap_version
use auxiliary/scanner/imap/imap_login

# POP3
use auxiliary/scanner/pop3/pop3_version
use auxiliary/scanner/pop3/pop3_login

Command Reference

IMAP Commands

POP3 Commands

Common NSE Scripts

# IMAP Scripts
nmap -p143,993 --script imap-capabilities <target>
nmap -p143,993 --script imap-ntlm-info <target>
nmap -p143,993 --script imap-brute <target>

# POP3 Scripts
nmap -p110,995 --script pop3-capabilities <target>
nmap -p110,995 --script pop3-ntlm-info <target>
nmap -p110,995 --script pop3-brute <target>

SSL/TLS Testing

# Test IMAPS
openssl s_client -connect <target>:993 -crlf
nmap -p993 --script ssl-enum-ciphers <target>

# Test POP3S
openssl s_client -connect <target>:995 -crlf
nmap -p995 --script ssl-enum-ciphers <target>

Configuration Files

Server Configuration

• Dovecot: /etc/dovecot/dovecot.conf

• Courier: /etc/courier/imapd, /etc/courier/pop3d

• Cyrus: /etc/imapd.conf, /etc/cyrus.conf

Security Files

• SSL Certificates: Often in /etc/ssl/certs/

• Authentication: Various PAM or SASL configs

Common Vulnerabilities

1. Authentication Issues:

   • Clear text transmission

   • Weak credentials

   • No rate limiting

   • Authentication bypass

2. SSL/TLS Problems:

   • Weak ciphers

   • Outdated protocols

   • Invalid certificates

   • Missing encryption

3. Configuration:

   • Debug logging enabled

   • Anonymous access

   • Unencrypted ports open

   • Excessive information disclosure

Post Exploitation

Information Gathering

• Access email content

• Extract attachments

• Find sensitive data

• Gather internal addresses

• Map email relationships

Privilege Escalation

• Check attachment permissions

• Search for credentials

• Test for command injection

• Access configuration files

Response Codes

IMAP Response Codes

POP3 Response Codes

Best Practices for Pentesting

1. Initial Reconnaissance:

   • Version identification

   • SSL/TLS check

   • Capability enumeration

   • Authentication methods

2. Deep Enumeration:

   • Vulnerability scanning

   • User enumeration

   • SSL/TLS analysis

   • Configuration review

3. Documentation:

   • Server details

   • Found vulnerabilities

   • Access methods

   • Sensitive data

4. Risk Assessment:

   • Impact analysis

   • Data sensitivity

   • Attack vectors

   • Mitigation recommendations

Additional Tools

1. swaks:

   Copy

   swaks --to user@domain.com --server <target>

2. evolution:

   Copy

   evolution --account="imap://<target>"

3. Custom Python Scripts:

   Copy

   # Basic IMAP connection
   import imaplib
   mail = imaplib.IMAP4("<target>")
   mail.login(user, password)

4. Misc Tools:

   • thunderbird (GUI client)

   • mutt (terminal client)

   • alpine (terminal client)