## What is IMAP Internet Message Access Protocol (IMAP) is more sophisticated than POP3. IMAP makes it possible to keep your email synchronized across multiple devices (and mail clients). In other words, if you mark an email message as read when checking your email on your smartphone, the change will be saved on the IMAP server (MDA) and replicated on your laptop when you synchronize your inbox. Let’s take a look at sample IMAP commands. In the console output below, we use Telnet to connect to the IMAP server’s default port, and then we **authenticate using** `LOGIN username password`. IMAP requires each command to be preceded by a random string to be able to track the reply. So we added `c1`, then `c2`, and so on. Then we listed our mail folders using `LIST "" "*"`, before checking if we have any new messages in the inbox using `EXAMINE INBOX`. We don’t need to memorize these commands; however, we are simply providing the example below to give a vivid image of what happens when the mail client communicates with an IMAP server. Pentester Terminal ```shell-session pentester@TryHackMe$ telnet 10.10.142.15 143 Trying 10.10.142.15... Connected to MACHINE_IP. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS ENABLE UTF8=ACCEPT] Courier-IMAP ready. Copyright 1998-2018 Double Precision, Inc. See COPYING for distribution information. c1 LOGIN frank D2xc9CgD * OK [ALERT] Filesystem notification initialization error -- contact your mail administrator (check for configuration errors with the FAM/Gamin library) c1 OK LOGIN Ok. c2 LIST "" "*" * LIST (\HasNoChildren) "." "INBOX.Trash" * LIST (\HasNoChildren) "." "INBOX.Drafts" * LIST (\HasNoChildren) "." "INBOX.Templates" * LIST (\HasNoChildren) "." "INBOX.Sent" * LIST (\Unmarked \HasChildren) "." "INBOX" c2 OK LIST completed c3 EXAMINE INBOX * FLAGS (\Draft \Answered \Flagged \Deleted \Seen \Recent) * OK [PERMANENTFLAGS ()] No permanent flags permitted * 0 EXISTS * 0 RECENT * OK [UIDVALIDITY 631694851] Ok * OK [MYRIGHTS "acdilrsw"] ACL c3 OK [READ-ONLY] Ok c4 LOGOUT * BYE Courier-IMAP server shutting down c4 OK LOGOUT completed Connection closed by foreign host. ``` It is clear that IMAP sends the login credentials in cleartext, as we can see in the command `LOGIN frank D2xc9CgD`. Anyone watching the network traffic would be able to know Frank’s username and password. ## Find IMAP Port - Nmap ```Terminal nmap -sV -sC IP -p110 ``` - Possible to find IMAP on an other port ## Attack - Brute Force ```Terminal hydra -l username -P PASSWORD-LIST.txt -f IP imap ``` ## Connection - IMAP Commands ```Terminal USER frank +OK frank #Machine Response PASS D2xc9CgD +OK 1 messages (179) octets #Machine Response STAT +OK 1 179 #Machine Response LIST +OK 1 messages (179) octets #Machine Response 1 179 . RETR 1 +OK #Machine Response From: Mail Server To: Frank subject: Sending email with Telnet Hello Frank, I am just writing to say hi! . QUIT +OK MACHINE_IP closing connection #Machine Response Connection closed by foreign host. ```