Port 143/993 – IMAP
Pentesting IMAP
Due to its authentication mechanisms and potentially sensitive data, IMAP services are important targets during penetration testing. Misconfigurations, weak authentication, and legacy implementations can expose credentials or allow unauthorised access.
Navigation
Discovery and Enumeration
Scanning for IMAP Services
Begin by identifying whether IMAP is exposed and what versions are in use. You can use the Nmap tool, along with some techniques shown in the port scanning section under enumeration, which can be found here.
nmap -p 143,993 10.1.1.1 #Discover open IMAP ports on a specified target nmap -iL targets.txt -p 143,993 #Discover open IMAP ports on a list of targets nmap -sV -p 143,993 --script imap-capabilities 10.1.1.1 #Get version and supported features of IMAP on a target
If available, check if STARTTLS is supported on port 143:
nmap --script imap-capabilities -p143 10.1.1.1 #Check if STARTTLS is supported
Banner Grabbing
To get IMAP banners, you can manually interact with the service using a tool like Netcat.
nc -v 10.1.1.1 143 #Netcat connection to target IP on port 143 nc -vv 10.1.1.1 143 #Netcat connection to target IP on port 143 with more verbose output
Then issue the following command to get a list of supported features:
a001 CAPABILITY #Request a list of supported features from the IMAP server
Look for capabilities like:
CAPABILITY IMAP4rev1 STARTTLS AUTH=PLAIN AUTH=LOGIN IDLE
This reveals available authentication mechanisms, encryption options, and IMAP extensions.