OpenSkillIndex← back to search

Hacktricks-skills imap-pentest

Pentest IMAP email servers for vulnerabilities, information disclosure, and credential testing. Use this skill whenever the user mentions IMAP, email server testing, port 143, port 993, email enumeration, or wants to assess email service security. Trigger for any IMAP-related reconnaissance, banner grabbing, authentication testing, or mailbox enumeration tasks.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/network-services-pentesting/pentesting-imap/SKILL.MD
source content

IMAP Pentesting Skill

This skill helps you assess IMAP (Internet Message Access Protocol) email servers for security vulnerabilities, information disclosure, and misconfigurations.

When to Use This Skill

Use this skill when:

  • You need to enumerate or test an IMAP service (ports 143 or 993)
  • You want to grab banners from email servers
  • You're testing for NTLM authentication information disclosure
  • You need to enumerate mailboxes or messages
  • You're performing email service reconnaissance
  • You want to test IMAP credentials or brute force authentication

Quick Reference

PortServiceEncryption
143IMAPUnencrypted
993IMAPSTLS/SSL Encrypted

Step 1: Banner Grabbing

Start by identifying the IMAP server and its capabilities.

Unencrypted IMAP (Port 143)

nc -nv <target-ip> 143

Encrypted IMAP (Port 993)

openssl s_client -connect <target-ip>:993 -quiet

What to look for:

  • Server software name and version (e.g., "Microsoft Exchange IMAP4", "Dovecot", "Postfix")
  • Supported authentication methods
  • CAPABILITY output showing available features
  • Any version information that could indicate known vulnerabilities

Step 2: NTLM Authentication Information Disclosure

If the server supports NTLM authentication (common on Windows/Exchange servers), you can extract sensitive version information.

Manual NTLM Probe

telnet <target-ip> 143
# When connected:
a1 AUTHENTICATE NTLM
# Send the base64 NTLM challenge response

Automated with Nmap

nmap --script imap-ntlm-info -p 143 <target-ip>

This reveals Windows version information that can help identify specific vulnerabilities.

Step 3: IMAP Command Reference

Use these commands for manual enumeration and testing.

Authentication

# Basic login
A1 LOGIN username password

# Quoted values (for spaces/special characters)
A1 LOGIN "user name" "pass word"

Mailbox Operations

# List all mailboxes
A1 LIST "" "*"

# List specific mailbox
A1 LIST INBOX "*"

# List subscribed mailboxes
A1 LSUB "" "*"

# Get mailbox status (message counts, etc.)
A1 STATUS INBOX (MESSAGES UNSEEN RECENT)

# Select a mailbox to work with
A1 SELECT INBOX

# Create a new mailbox
A1 CREATE "New Folder"

# Delete a mailbox
A1 DELETE "Old Folder"

# Rename a mailbox
A1 RENAME "Old Name" "New Name"

Message Operations

# List message flags
A1 FETCH 1:* (FLAGS)
A1 UID FETCH 1:* (FLAGS)

# Retrieve full message content
A1 FETCH 2 BODY[]
A1 FETCH 2 ALL

# Peek at message without marking as read
A1 UID FETCH 102 (UID RFC822.SIZE BODY.PEEK[])

# Get specific message parts
A1 FETCH 1:5 BODY[HEADER.FIELDS (SUBJECT FROM)]

Session Management

# Close current mailbox
A1 CLOSE

# Logout
A1 LOGOUT

Step 4: Automated Enumeration with Tools

Using curl for IMAP

Curl supports IMAP operations for quick enumeration:

# List mailboxes
curl -k 'imaps://<target-ip>/' --user user:pass

# List messages in INBOX
curl -k 'imaps://<target-ip>/INBOX?ALL' --user user:pass

# Search for specific content
curl -k 'imaps://<target-ip>/INBOX?TEXT password' --user user:pass

# Download specific message
curl -k 'imaps://<target-ip>/INBOX;MAILINDEX=1' --user user:pass

# Get headers only (subject, from)
for m in {1..5}; do
  curl "imap://<target-ip>/INBOX;MAILINDEX=$m;SECTION=HEADER.FIELDS%20(SUBJECT%20FROM)" --user user:pass
done

Using Metasploit

msfconsole -q -x 'use auxiliary/scanner/imap/imap_version; set RHOSTS <target-ip>; set RPORT 143; run; exit'

Using Evolution (GUI)

apt install evolution
# Then configure the IMAP account in the GUI

Step 5: Shodan Reconnaissance

Search for IMAP servers with specific capabilities:

# Find IMAP servers on port 143
port:143 CAPABILITY

# Find IMAPS servers on port 993
port:993 CAPABILITY

Common Vulnerabilities to Check

  1. Weak Authentication - Test for default/weak credentials
  2. Information Disclosure - Banner grabbing reveals versions
  3. NTLM Information Leakage - Windows version disclosure
  4. Unencrypted Transmission - Port 143 sends credentials in plaintext
  5. Mailbox Enumeration - Unauthorized access to list mailboxes
  6. Message Access - Unauthorized reading of emails

Testing Checklist

  • Banner grab on port 143
  • Banner grab on port 993
  • Check for NTLM authentication support
  • Run nmap imap-ntlm-info script
  • Attempt login with known credentials
  • Enumerate mailboxes if authenticated
  • Check for default/weak credentials
  • Test for unencrypted credential transmission
  • Search Shodan for additional intelligence

Important Notes

  • Always get authorization before testing email servers
  • Respect rate limits - IMAP servers may lock accounts after failed attempts
  • Document findings - Email servers often contain sensitive data
  • Use encrypted connections (port 993) when possible to avoid credential exposure
  • Be careful with brute force - Account lockouts can cause denial of service