Enumerate and interact with IMAP (Internet Message Access Protocol) mail servers to access mailboxes and retrieve emails. IMAP keeps emails on the server and syncs across devices, with port 143 for unencrypted and 993 for SSL/TLS connections.
Banner Grabbing
Netcat
nc -nv 10.10.10.10 143
Telnet
telnet 10.10.10.10 143
OpenSSL (IMAPS - Port 993)
openssl s_client -connect 10.10.10.10:993
IMAP Commands
Note: All IMAP commands must be prefixed with a tag (e.g., a, 1, A001)
Authentication
# Login a LOGIN username password
# Logout a LOGOUT
Mailbox Operations
# List all mailboxes a LIST "" *
# List subscribed mailboxes a LSUB "" *
# Create mailbox a CREATE "INBOX"
# Delete mailbox a DELETE "INBOX"
# Rename mailbox a RENAME "ToRead""Important"
# Select mailbox a SELECT INBOX
# Unselect mailbox a UNSELECT INBOX
# Check mailbox status a STATUS INBOX (MESSAGES UNSEEN)
Message Operations
# Fetch all message UIDs and flags a FETCH 1:* (UID FLAGS)
# Fetch message headers a FETCH 1 (BODY[HEADER])
# Fetch entire message a FETCH 1 (BODY[])
# Fetch multiple messages a FETCH 1:5 (BODY[])
# Fetch all messages a FETCH 1:* (BODY[])
# Search for messages a SEARCH ALL a SEARCH FROM "user@domain.com" a SEARCH SUBJECT "password"
# Mark message as deleted a STORE 1 +FLAGS (\Deleted)
# Connect and enumerate nc -nv 10.10.10.10 143 a CAPABILITY a LOGIN user password a LIST "" * a SELECT INBOX a FETCH 1:* (UID FLAGS) a FETCH 1 (BODY[]) a LOGOUT
cURL Access
List and Retrieve Emails
# List mailboxes curl -k 'imaps://10.10.10.10' --user user:password
# List emails in INBOX curl -k 'imaps://10.10.10.10/INBOX' --user user:password
# Retrieve specific email curl -k 'imaps://10.10.10.10/INBOX;UID=1' --user user:password
# Search for emails curl -k 'imaps://10.10.10.10/INBOX' --user user:password -X 'SEARCH FROM "admin"'
Brute Force
Hydra
# IMAP brute force hydra -l user -P /usr/share/wordlists/rockyou.txt imap://10.10.10.10
# IMAPS brute force hydra -l user -P /usr/share/wordlists/rockyou.txt imaps://10.10.10.10