IMAP/POP3 Pentesting Notes

Protocol Overview

Basic Information

IMAP:

Port: TCP 143 (default), TCP 993 (IMAPS)
Protocol Type: Application layer, client-server
Purpose: Email access and management on server
Security: Plain text by default, supports SSL/TLS

POP3:

Port: TCP 110 (default), TCP 995 (POP3S)
Protocol Type: Application layer, client-server
Purpose: Email retrieval and deletion
Security: Plain text by default, supports SSL/TLS

Protocol Differences

Feature

IMAP

POP3

Storage

Server-side

Client-side

Sync

Multi-device sync

Single device

Management

Full email/folder management

Basic retrieval/deletion

Connection

Persistent connection

Connect, download, disconnect

Initial Enumeration

Port Scanning

# Basic scan
nmap -p110,143,993,995 -sV <target>

# Aggressive scan
nmap -p110,143,993,995 -sV -sC -A <target>

# All related scripts
nmap -p110,143,993,995 --script imap* pop3* <target>

Banner Grabbing

# IMAP
nc -nv <target> 143

# POP3
nc -nv <target> 110

# IMAPS
openssl s_client -connect <target>:993

# POP3S
openssl s_client -connect <target>:995

Authentication Testing

IMAP Authentication

# Using netcat
nc -nv <target> 143
a001 LOGIN username password

# Using openssl for IMAPS
openssl s_client -connect <target>:993
a001 LOGIN username password

# Using curl
curl -k 'imaps://<target>' --user username:password

POP3 Authentication

# Using netcat
nc -nv <target> 110
USER username
PASS password

# Using openssl for POP3S
openssl s_client -connect <target>:995
USER username
PASS password

Brute Force Attacks

Using Hydra

# IMAP
hydra -l user -P passwords.txt <target> imap
hydra -L users.txt -P passwords.txt <target> imap

# POP3
hydra -l user -P passwords.txt <target> pop3
hydra -L users.txt -P passwords.txt <target> pop3

Using Metasploit

# IMAP
use auxiliary/scanner/imap/imap_version
use auxiliary/scanner/imap/imap_login

# POP3
use auxiliary/scanner/pop3/pop3_version
use auxiliary/scanner/pop3/pop3_login

Command Reference

IMAP Commands

Command

Description

Example

Authenticate

a001 LOGIN user pass

LIST

List mailboxes

a002 LIST "" "*"

SELECT

Select mailbox

a003 SELECT INBOX

FETCH

Retrieve message

a004 FETCH 1 BODY[]

STORE

Modify flags

a005 STORE 1 +FLAGS (\Deleted)

EXPUNGE

Delete marked messages

a006 EXPUNGE

LOGOUT

End session

a007 LOGOUT

POP3 Commands

Command

Description

Example

USER

Set username

USER username

PASS

Set password

PASS password

STAT

Get mailbox stats

STAT

LIST

List messages

LIST

RETR

Retrieve message

RETR 1

DELE

Delete message

DELE 1

QUIT

End session

QUIT

Common NSE Scripts

# IMAP Scripts
nmap -p143,993 --script imap-capabilities <target>
nmap -p143,993 --script imap-ntlm-info <target>
nmap -p143,993 --script imap-brute <target>

# POP3 Scripts
nmap -p110,995 --script pop3-capabilities <target>
nmap -p110,995 --script pop3-ntlm-info <target>
nmap -p110,995 --script pop3-brute <target>

SSL/TLS Testing

# Test IMAPS
openssl s_client -connect <target>:993 -crlf
nmap -p993 --script ssl-enum-ciphers <target>

# Test POP3S
openssl s_client -connect <target>:995 -crlf
nmap -p995 --script ssl-enum-ciphers <target>

Configuration Files

Server Configuration

Dovecot: /etc/dovecot/dovecot.conf
Courier: /etc/courier/imapd, /etc/courier/pop3d
Cyrus: /etc/imapd.conf, /etc/cyrus.conf

Security Files

SSL Certificates: Often in /etc/ssl/certs/
Authentication: Various PAM or SASL configs

Common Vulnerabilities

Authentication Issues:
- Clear text transmission
- Weak credentials
- No rate limiting
- Authentication bypass
SSL/TLS Problems:
- Weak ciphers
- Outdated protocols
- Invalid certificates
- Missing encryption
Configuration:
- Debug logging enabled
- Anonymous access
- Unencrypted ports open
- Excessive information disclosure

Post Exploitation

Information Gathering

Access email content
Extract attachments
Find sensitive data
Gather internal addresses
Map email relationships

Privilege Escalation

Check attachment permissions
Search for credentials
Test for command injection
Access configuration files

Response Codes

IMAP Response Codes

Code

Meaning

Command completed

Command failed

BAD

Invalid command

PREAUTH

Authenticated connection

BYE

Server signing off

POP3 Response Codes

Code

Meaning

+OK

Command successful

-ERR

Command failed

Best Practices for Pentesting

Initial Reconnaissance:
- Version identification
- SSL/TLS check
- Capability enumeration
- Authentication methods
Deep Enumeration:
- Vulnerability scanning
- User enumeration
- SSL/TLS analysis
- Configuration review
Documentation:
- Server details
- Found vulnerabilities
- Access methods
- Sensitive data
Risk Assessment:
- Impact analysis
- Data sensitivity
- Attack vectors
- Mitigation recommendations

Additional Tools

swaks:

swaks --to [email protected] --server <target>

evolution:
```
evolution --account="imap://<target>"
```

Custom Python Scripts:

# Basic IMAP connection
import imaplib
mail = imaplib.IMAP4("<target>")
mail.login(user, password)

Misc Tools:
- thunderbird (GUI client)
- mutt (terminal client)
- alpine (terminal client)

PreviousSNMP Pentesting Notes NextSMTP Pentesting Notes

hashtagProtocol Overview

hashtagBasic Information

hashtagProtocol Differences

hashtagInitial Enumeration

hashtagPort Scanning

hashtagBanner Grabbing

hashtagAuthentication Testing

hashtagIMAP Authentication

hashtagPOP3 Authentication

hashtagBrute Force Attacks

hashtagUsing Hydra

hashtagUsing Metasploit

hashtagCommand Reference

hashtagIMAP Commands

hashtagPOP3 Commands

hashtagCommon NSE Scripts

hashtagSSL/TLS Testing

hashtagConfiguration Files

hashtagServer Configuration

hashtagSecurity Files

hashtagCommon Vulnerabilities

hashtagPost Exploitation

hashtagInformation Gathering

hashtagPrivilege Escalation

hashtagResponse Codes

hashtagIMAP Response Codes

hashtagPOP3 Response Codes

hashtagBest Practices for Pentesting

hashtagAdditional Tools