As its name implies, IMAP allows you to **access your email messages wherever you are**; much of the time, it is accessed via the Internet. Basically, email **messages are stored on servers**. Whenever you check your inbox, your email client contacts the server to connect you with your messages. When you read an email message using IMAP, **you aren't actually downloading** or storing it on your computer; instead, you are **reading it off of the server**. As a result, it's possible to check your email from **several different devices** without missing a thing.
By default, the IMAP protocol works on two ports:
* **Port 143** - this is the default IMAP non-encrypted port
* **Port 993** - this is the port you need to use if you want to connect using IMAP securely
```text
PORT STATE SERVICE REASON
143/tcp open imap syn-ack
```
## Banner grabbing
```bash
nc -nv <IP> 143
openssl s_client -connect <IP>:993 -quiet
```
### NTLM Auth - Information disclosure
If the server supports NTLM auth \(Windows\) you can obtain sensitive info \(versions\):
```text
root@kali: telnet example.com 143
* OK The Microsoft Exchange IMAP4 service is ready.
Basic navigation is possible with [CURL](https://ec.haxx.se/usingcurl/usingcurl-reademail#imap), but the documentation is light on details so checking the [source](https://github.com/curl/curl/blob/master/lib/imap.c) is recommended for precise details.
The mail index will be the same index returned from the search operation.
It is also possible to use `UID` \(unique id\) to access messages, however it is less conveniant as the search command needs to be manually formatted. E.g.
Also, possible to download just parts of a message, e.g. subject and sender of first 5 messages \(the `-v` is required to see the subject and sender\):
