Pentesting IMAP

IMAP Icon
The Internet Message Access Protocol (IMAP) is used by email clients to retrieve messages from a mail server over a TCP/IP connection. IMAP enables remote access to emails without needing to download them, unlike POP3. It allows users to view email headers, search messages, and manage mailboxes across multiple devices. IMAP operates on port 143 by default and 993 when secured with SSL/TLS.

Due to its authentication mechanisms and potentially sensitive data, IMAP services are important targets during penetration testing. Misconfigurations, weak authentication, and legacy implementations can expose credentials or allow unauthorised access.

Discovery and Enumeration

Scanning for IMAP Services

Begin by identifying whether IMAP is exposed and what versions are in use. You can use the Nmap tool, along with some techniques shown in the port scanning section under enumeration, which can be found here.

nmap -p 143,993 10.1.1.1                                   #Discover open IMAP ports on a specified target
nmap -iL targets.txt -p 143,993                            #Discover open IMAP ports on a list of targets
nmap -sV -p 143,993 --script imap-capabilities 10.1.1.1    #Get version and supported features of IMAP on a target

If available, check if STARTTLS is supported on port 143:

nmap --script imap-capabilities -p143 10.1.1.1    #Check if STARTTLS is supported

 

Banner Grabbing

To get IMAP banners, you can manually interact with the service using a tool like Netcat.

nc -v 10.1.1.1 143    #Netcat connection to target IP on port 143
nc -vv 10.1.1.1 143   #Netcat connection to target IP on port 143 with more verbose output

Then issue the following command to get a list of supported features:

a001 CAPABILITY    #Request a list of supported features from the IMAP server

Look for capabilities like:

CAPABILITY IMAP4rev1 STARTTLS AUTH=PLAIN AUTH=LOGIN IDLE

This reveals available authentication mechanisms, encryption options, and IMAP extensions.