80 lines
3.3 KiB
Markdown
80 lines
3.3 KiB
Markdown
|
## What is IMAP
|
|||
|
|
|
|||
|
|
Internet Message Access Protocol (IMAP) is more sophisticated than POP3. IMAP makes it possible to keep your email synchronized across multiple devices (and mail clients). In other words, if you mark an email message as read when checking your email on your smartphone, the change will be saved on the IMAP server (MDA) and replicated on your laptop when you synchronize your inbox.
|
|||
|
|
|
|||
|
|
Let’s take a look at sample IMAP commands. In the console output below, we use Telnet to connect to the IMAP server’s default port, and then we **authenticate using** `LOGIN username password`. IMAP requires each command to be preceded by a random string to be able to track the reply. So we added `c1`, then `c2`, and so on. Then we listed our mail folders using `LIST "" "*"`, before checking if we have any new messages in the inbox using `EXAMINE INBOX`. We don’t need to memorize these commands; however, we are simply providing the example below to give a vivid image of what happens when the mail client communicates with an IMAP server.
|
|||
|
|
|
|||
|
|
Pentester Terminal
|
|||
|
|
|
|||
|
|
```shell-session
|
|||
|
|
pentester@TryHackMe$ telnet 10.10.142.15 143
|
|||
|
|
Trying 10.10.142.15...
|
|||
|
|
Connected to MACHINE_IP.
|
|||
|
|
Escape character is '^]'.
|
|||
|
|
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS ENABLE UTF8=ACCEPT] Courier-IMAP ready. Copyright 1998-2018 Double Precision, Inc. See COPYING for distribution information.
|
|||
|
|
c1 LOGIN frank D2xc9CgD
|
|||
|
|
* OK [ALERT] Filesystem notification initialization error -- contact your mail administrator (check for configuration errors with the FAM/Gamin library)
|
|||
|
|
c1 OK LOGIN Ok.
|
|||
|
|
c2 LIST "" "*"
|
|||
|
|
* LIST (\HasNoChildren) "." "INBOX.Trash"
|
|||
|
|
* LIST (\HasNoChildren) "." "INBOX.Drafts"
|
|||
|
|
* LIST (\HasNoChildren) "." "INBOX.Templates"
|
|||
|
|
* LIST (\HasNoChildren) "." "INBOX.Sent"
|
|||
|
|
* LIST (\Unmarked \HasChildren) "." "INBOX"
|
|||
|
|
c2 OK LIST completed
|
|||
|
|
c3 EXAMINE INBOX
|
|||
|
|
* FLAGS (\Draft \Answered \Flagged \Deleted \Seen \Recent)
|
|||
|
|
* OK [PERMANENTFLAGS ()] No permanent flags permitted
|
|||
|
|
* 0 EXISTS
|
|||
|
|
* 0 RECENT
|
|||
|
|
* OK [UIDVALIDITY 631694851] Ok
|
|||
|
|
* OK [MYRIGHTS "acdilrsw"] ACL
|
|||
|
|
c3 OK [READ-ONLY] Ok
|
|||
|
|
c4 LOGOUT
|
|||
|
|
* BYE Courier-IMAP server shutting down
|
|||
|
|
c4 OK LOGOUT completed
|
|||
|
|
Connection closed by foreign host.
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
It is clear that IMAP sends the login credentials in cleartext, as we can see in the command `LOGIN frank D2xc9CgD`. Anyone watching the network traffic would be able to know Frank’s username and password.
|
|||
|
|
|
|||
|
|
## Find IMAP Port
|
|||
|
|
- Nmap
|
|||
|
|
```Terminal
|
|||
|
|
nmap -sV -sC IP -p110
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
- Possible to find IMAP on an other port
|
|||
|
|
|
|||
|
|
## Attack
|
|||
|
|
- Brute Force
|
|||
|
|
```Terminal
|
|||
|
|
hydra -l username -P PASSWORD-LIST.txt -f IP imap
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
## Connection
|
|||
|
|
|
|||
|
|
- IMAP Commands
|
|||
|
|
```Terminal
|
|||
|
|
USER frank
|
|||
|
|
+OK frank #Machine Response
|
|||
|
|
PASS D2xc9CgD
|
|||
|
|
+OK 1 messages (179) octets #Machine Response
|
|||
|
|
STAT
|
|||
|
|
+OK 1 179 #Machine Response
|
|||
|
|
LIST
|
|||
|
|
+OK 1 messages (179) octets #Machine Response
|
|||
|
|
1 179
|
|||
|
|
.
|
|||
|
|
RETR 1
|
|||
|
|
+OK #Machine Response
|
|||
|
|
From: Mail Server
|
|||
|
|
To: Frank
|
|||
|
|
subject: Sending email with Telnet
|
|||
|
|
Hello Frank,
|
|||
|
|
I am just writing to say hi!
|
|||
|
|
.
|
|||
|
|
QUIT
|
|||
|
|
+OK MACHINE_IP closing connection #Machine Response
|
|||
|
|
Connection closed by foreign host.
|
|||
|
|
```
|