# 143,993 - Pentesting IMAP
☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥 - 你在**网络安全公司**工作吗?想要在HackTricks中看到你的**公司广告**吗?或者你想要**获取PEASS的最新版本或下载HackTricks的PDF**吗?请查看[**订阅计划**](https://github.com/sponsors/carlospolop)! - 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品——[**The PEASS Family**](https://opensea.io/collection/the-peass-family) - 获取[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com) - **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f) 或者 [**telegram群组**](https://t.me/peass) 或者**关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** - **通过向[hacktricks repo](https://github.com/carlospolop/hacktricks)和[hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)提交PR来分享你的黑客技巧**。
找到最重要的漏洞,以便您可以更快地修复它们。Intruder跟踪您的攻击面,运行主动威胁扫描,发现整个技术堆栈中的问题,从API到Web应用程序和云系统。[**立即免费试用**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks)。 {% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %} *** ## Internet消息访问协议 正如其名称所示,IMAP允许您在任何地方**访问您的电子邮件**;大部分时间,它通过互联网进行访问。基本上,电子邮件**消息存储在服务器上**。每当您检查收件箱时,您的电子邮件客户端会联系服务器,将您与您的消息连接起来。当您使用IMAP阅读电子邮件时,您实际上并没有将其下载或存储在计算机上;相反,您是**从服务器上阅读它**。因此,您可以使用**多个不同的设备**检查电子邮件,而不会错过任何内容。 默认情况下,IMAP协议在两个端口上工作: * **端口143** - 这是默认的IMAP非加密端口 * **端口993** - 如果您想要使用IMAP安全连接,则需要使用此端口 ``` PORT STATE SERVICE REASON 143/tcp open imap syn-ack ``` ## 横幅抓取 Banner grabbing(横幅抓取)是一种用于获取目标主机上运行的网络服务版本信息的技术。在渗透测试中,横幅抓取是一项重要的任务,因为它可以帮助我们了解目标系统上运行的服务及其版本号。 横幅抓取的过程通常涉及向目标主机发送特定的网络请求,以获取服务的响应。这些响应通常包含有关服务的详细信息,如服务名称、版本号和其他相关信息。通过分析这些响应,我们可以确定目标主机上运行的服务及其版本,从而为后续的渗透测试活动提供有价值的信息。 横幅抓取可以使用多种工具和技术来实现。常用的工具包括Telnet、Netcat和Nmap等。这些工具可以通过发送特定的请求来获取服务的响应,并将响应中的信息提取出来进行分析。 在进行横幅抓取时,需要注意以下几点: - 选择合适的工具和技术,以确保能够准确地获取服务的版本信息。 - 遵守法律和道德规范,在进行横幅抓取时不要侵犯目标系统的合法权益。 - 将横幅抓取的结果与其他信息进行综合分析,以获取更全面的目标系统信息。 通过横幅抓取,渗透测试人员可以更好地了解目标系统上运行的网络服务及其版本信息,从而为后续的渗透测试活动提供有价值的线索和信息。 ```bash nc -nv 143 openssl s_client -connect :993 -quiet ``` ### NTLM身份验证 - 信息泄露 如果服务器支持NTLM身份验证(Windows),您可以获取敏感信息(版本): ``` root@kali: telnet example.com 143 * OK The Microsoft Exchange IMAP4 service is ready. >> a1 AUTHENTICATE NTLM + >> TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA= + TlRMTVNTUAACAAAACgAKADgAAAAFgooCBqqVKFrKPCMAAAAAAAAAAEgASABCAAAABgOAJQAAAA9JAEkAUwAwADEAAgAKAEkASQBTADAAMQABAAoASQBJAFMAMAAxAAQACgBJAEkAUwAwADEAAwAKAEkASQBTADAAMQAHAAgAHwMI0VPy1QEAAAAA ``` 或者使用nmap插件`imap-ntlm-info.nse`来自动化此过程。 ### [IMAP暴力破解](../generic-methodologies-and-resources/brute-force.md#imap) ## 语法 ``` Login A1 LOGIN username password Values can be quoted to enclose spaces and special characters. A " must then be escape with a \ A1 LOGIN "username" "password" List Folders/Mailboxes A1 LIST "" * A1 LIST INBOX * A1 LIST "Archive" * Create new Folder/Mailbox A1 CREATE INBOX.Archive.2012 A1 CREATE "To Read" Delete Folder/Mailbox A1 DELETE INBOX.Archive.2012 A1 DELETE "To Read" Rename Folder/Mailbox A1 RENAME "INBOX.One" "INBOX.Two" List Subscribed Mailboxes A1 LSUB "" * Status of Mailbox (There are more flags than the ones listed) A1 STATUS INBOX (MESSAGES UNSEEN RECENT) Select a mailbox A1 SELECT INBOX List messages A1 FETCH 1:* (FLAGS) A1 UID FETCH 1:* (FLAGS) Retrieve Message Content A1 FETCH 2 body[text] A1 FETCH 2 all A1 UID FETCH 102 (UID RFC822.SIZE BODY.PEEK[]) Close Mailbox A1 CLOSE Logout A1 LOGOUT ``` 从[这里](https://donsutherland.org/crib/imap)开始 ### 进化 IMAP is a widely-used protocol for accessing email. It is commonly used by email clients to retrieve messages from a mail server. IMAP allows users to access their email from multiple devices and keeps the email synchronized across all devices. IMAP是一种广泛使用的用于访问电子邮件的协议。它通常被电子邮件客户端用于从邮件服务器检索邮件。IMAP允许用户从多个设备访问其电子邮件,并在所有设备上保持电子邮件同步。 Evolution is an open-source email client that supports the IMAP protocol. It is available for Linux and Unix-like operating systems. Evolution provides a user-friendly interface for managing email accounts and has features such as email filtering, search, and encryption. Evolution是一个支持IMAP协议的开源电子邮件客户端。它适用于Linux和类Unix操作系统。Evolution提供了一个用户友好的界面来管理电子邮件帐户,并具有诸如电子邮件过滤、搜索和加密等功能。 ### IMAP Pentesting When conducting a penetration test on an IMAP server, there are several areas that can be targeted for vulnerabilities. These include: - User enumeration: Attackers can attempt to enumerate valid usernames on the server by brute-forcing or using other techniques. - Password guessing: Attackers can try to guess weak passwords for user accounts on the server. - Man-in-the-middle attacks: Attackers can intercept and modify the communication between the email client and the server to gain unauthorized access or steal sensitive information. - Command injection: Attackers can exploit vulnerabilities in the IMAP server software to execute arbitrary commands on the server. - Denial of Service (DoS) attacks: Attackers can overload the server with a large number of requests, causing it to become unresponsive or crash. ### IMAP Pentesting Tools There are several tools available for pentesting IMAP servers. Some popular ones include: - Nmap: A network scanning tool that can be used to discover open IMAP ports on a server. - Hydra: A password cracking tool that can be used to guess weak passwords for IMAP accounts. - Wireshark: A network protocol analyzer that can be used to capture and analyze the traffic between the email client and the server. - Metasploit: A penetration testing framework that includes modules for testing IMAP servers for vulnerabilities. - OWASP ZAP: An open-source web application security scanner that can be used to test the security of web-based email clients that use IMAP. ### Conclusion IMAP is a widely-used protocol for accessing email, and it is important to ensure the security of IMAP servers. By conducting penetration tests and using appropriate tools, vulnerabilities can be identified and mitigated, helping to protect sensitive information and prevent unauthorized access. ``` apt install evolution ``` ![](<../.gitbook/assets/image (528).png>) ### CURL 使用[CURL](https://ec.haxx.se/usingcurl/usingcurl-reademail#imap)可以进行基本的导航,但是文档中缺乏详细信息,因此建议查看[源代码](https://github.com/curl/curl/blob/master/lib/imap.c)以获取精确的细节。 1. 列出邮箱(imap命令 `LIST "" "*"`) ```bash $ curl -k 'imaps://1.2.3.4/' --user user:pass ``` 2. 列出邮箱中的邮件(imap命令 `SELECT INBOX` 然后 `SEARCH ALL`) ```bash $ curl -k 'imaps://1.2.3.4/INBOX?ALL' --user user:pass ``` 这个搜索的结果是一组邮件索引。 也可以提供更复杂的搜索条件。例如,在邮件正文中搜索带有密码的草稿: ```bash $ curl -k 'imaps://1.2.3.4/Drafts?TEXT password' --user user:pass ``` 可以在[这里](https://www.atmail.com/blog/imap-commands/)找到搜索条件的详细概述。 3. 下载邮件(imap命令 `SELECT Drafts` 然后 `FETCH 1 BODY[]`) ```bash $ curl -k 'imaps://1.2.3.4/Drafts;MAILINDEX=1' --user user:pass ``` 邮件索引将与搜索操作返回的索引相同。 也可以使用`UID`(唯一标识符)来访问邮件,但是这种方式不太方便,因为搜索命令需要手动格式化。例如, ```bash $ curl -k 'imaps://1.2.3.4/INBOX' -X 'UID SEARCH ALL' --user user:pass $ curl -k 'imaps://1.2.3.4/INBOX;UID=1' --user user:pass ``` 此外,还可以下载消息的部分内容,例如前5条消息的主题和发件人(需要使用`-v`参数才能看到主题和发件人): ```bash $ curl -k 'imaps://1.2.3.4/INBOX' -X 'FETCH 1:5 BODY[HEADER.FIELDS (SUBJECT FROM)]' --user user:pass -v 2>&1 | grep '^<' ``` 虽然,只需编写一个简单的for循环可能更简洁: ``` for m in {1..5}; do echo $m curl "imap://1.2.3.4/INBOX;MAILINDEX=$m;SECTION=HEADER.FIELDS%20(SUBJECT%20FROM)" --user user:pass done ``` ## Shodan * `port:143 CAPABILITY` * `port:993 CAPABILITY` ## HackTricks 自动命令 ``` Protocol_Name: IMAP #Protocol Abbreviation if there is one. Port_Number: 143,993 #Comma separated if there is more than one. Protocol_Description: Internet Message Access Protocol #Protocol Abbreviation Spelled out Entry_1: Name: Notes Description: Notes for WHOIS Note: | As its name implies, IMAP allows you to access your email messages wherever you are; much of the time, it is accessed via the Internet. Basically, email messages are stored on servers. Whenever you check your inbox, your email client contacts the server to connect you with your messages. When you read an email message using IMAP, you aren't actually downloading or storing it on your computer; instead, you are reading it off of the server. As a result, it's possible to check your email from several different devices without missing a thing. https://book.hacktricks.xyz/pentesting/pentesting-imap Entry_2: Name: Banner Grab Description: Banner Grab 143 Command: nc -nv {IP} 143 Entry_3: Name: Secure Banner Grab Description: Banner Grab 993 Command: openssl s_client -connect {IP}:993 -quiet Entry_4: Name: consolesless mfs enumeration Description: IMAP enumeration without the need to run msfconsole Note: sourced from https://github.com/carlospolop/legion Command: msfconsole -q -x 'use auxiliary/scanner/imap/imap_version; set RHOSTS {IP}; set RPORT 143; run; exit' ```
找到最重要的漏洞,以便您能更快地修复它们。Intruder跟踪您的攻击面,运行主动威胁扫描,发现整个技术堆栈中的问题,从API到Web应用程序和云系统。[**立即免费试用**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks)。 {% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
☁️ HackTricks云 ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥 - 您在**网络安全公司**工作吗?您想在HackTricks中看到您的**公司广告**吗?或者您想获得**PEASS的最新版本或下载PDF格式的HackTricks**吗?请查看[**订阅计划**](https://github.com/sponsors/carlospolop)! - 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品- [**The PEASS Family**](https://opensea.io/collection/the-peass-family) - 获得[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com) - **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f)或[**电报群组**](https://t.me/peass),或在**Twitter**上**关注**我[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**。** - **通过向[hacktricks repo](https://github.com/carlospolop/hacktricks)和[hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)提交PR来分享您的黑客技巧**。