12 KiB
143,993 - Pentesting IMAP
Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (HackTricks AWS Red Team Expert)!
Njia nyingine za kusaidia HackTricks:
- Ikiwa unataka kuona kampuni yako ikionekana kwenye HackTricks au kupakua HackTricks kwa muundo wa PDF Angalia MPANGO WA KUJIUNGA!
- Pata swag rasmi ya PEASS & HackTricks
- Gundua The PEASS Family, mkusanyiko wetu wa NFTs za kipekee
- Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @carlospolopm.
- Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye HackTricks na HackTricks Cloud repos za github.
Pata udhaifu unaowezekana zaidi ili uweze kuzirekebisha haraka. Intruder inafuatilia eneo lako la shambulio, inafanya uchunguzi wa vitisho kwa njia ya kujitolea, inapata matatizo katika mfumo wako wa teknolojia mzima, kutoka kwa APIs hadi programu za wavuti na mifumo ya wingu. Jaribu bure leo.
{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
Itifaki ya Kupata Ujumbe wa Mtandao
Itifaki ya Kupata Ujumbe wa Mtandao (IMAP) imeundwa kwa lengo la kuwezesha watumiaji kupata ujumbe wao wa barua pepe kutoka mahali popote, hasa kupitia muunganisho wa mtandao. Kimsingi, barua pepe zinabaki kwenye seva badala ya kupakuliwa na kuhifadhiwa kwenye kifaa cha mtu binafsi. Hii inamaanisha kuwa wakati barua pepe inapopatikana au kusomwa, inafanyika moja kwa moja kutoka kwenye seva. Uwezo huu unaruhusu urahisi wa kuangalia barua pepe kutoka vifaa mbalimbali, kuhakikisha kuwa hakuna ujumbe unaopotea bila kujali kifaa kilichotumika.
Kwa chaguo-msingi, itifaki ya IMAP inafanya kazi kwenye bandari mbili:
- Bandari 143 - hii ni bandari ya chaguo-msingi ya IMAP isiyofichwa
- Bandari 993 - hii ndiyo bandari unayohitaji kutumia ikiwa unataka kuunganisha kwa kutumia IMAP kwa usalama.
PORT STATE SERVICE REASON
143/tcp open imap syn-ack
Kukamata Bango
Banner grabbing ni mbinu ya kuchunguza na kukamata habari muhimu kutoka kwa bango la mfumo wa IMAP (Internet Message Access Protocol). Bango hili linaweza kutoa taarifa kuhusu toleo la programu, jina la mtumiaji, na maelezo mengine muhimu kuhusu mfumo wa IMAP.
Kukamata bango kunaweza kufanywa kwa kutumia zana kama vile telnet au nc kwa kuunganisha kwenye seva ya IMAP na kusoma majibu ya kwanza yanayotumwa na seva hiyo. Majibu haya yanaweza kutoa habari muhimu kwa mchunguzi, kama vile toleo la programu na maelezo mengine yanayoweza kutumiwa kwa uchunguzi zaidi.
Kwa mfano, kwa kutumia telnet, unaweza kuunganisha kwenye seva ya IMAP kwa kutumia amri kama telnet <seva ya IMAP> <namba ya bandari>. Baada ya kuunganisha, unaweza kusoma majibu ya kwanza yanayotumwa na seva hiyo.
Kukamata bango ni hatua ya kwanza muhimu katika uchunguzi wa mfumo wa IMAP, kwani inaweza kutoa habari muhimu kwa mchunguzi kuhusu mfumo huo. Habari hii inaweza kutumiwa kwa uchambuzi zaidi na kubuni mbinu za kuingilia kati na kudhibiti mfumo wa IMAP.
nc -nv <IP> 143
openssl s_client -connect <IP>:993 -quiet
NTLM Auth - Kufichua Taarifa
Ikiwa seva inasaidia NTLM auth (Windows) unaweza kupata taarifa nyeti (toleo):
root@kali: telnet example.com 143
* OK The Microsoft Exchange IMAP4 service is ready.
>> a1 AUTHENTICATE NTLM
+
>> TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
+ TlRMTVNTUAACAAAACgAKADgAAAAFgooCBqqVKFrKPCMAAAAAAAAAAEgASABCAAAABgOAJQAAAA9JAEkAUwAwADEAAgAKAEkASQBTADAAMQABAAoASQBJAFMAMAAxAAQACgBJAEkAUwAwADEAAwAKAEkASQBTADAAMQAHAAgAHwMI0VPy1QEAAAAA
Au automatize hii na nmap plugin imap-ntlm-info.nse
IMAP Bruteforce
Syntax
Mifano ya Amri za IAMP kutoka hapa:
Login
A1 LOGIN username password
Values can be quoted to enclose spaces and special characters. A " must then be escape with a \
A1 LOGIN "username" "password"
List Folders/Mailboxes
A1 LIST "" *
A1 LIST INBOX *
A1 LIST "Archive" *
Create new Folder/Mailbox
A1 CREATE INBOX.Archive.2012
A1 CREATE "To Read"
Delete Folder/Mailbox
A1 DELETE INBOX.Archive.2012
A1 DELETE "To Read"
Rename Folder/Mailbox
A1 RENAME "INBOX.One" "INBOX.Two"
List Subscribed Mailboxes
A1 LSUB "" *
Status of Mailbox (There are more flags than the ones listed)
A1 STATUS INBOX (MESSAGES UNSEEN RECENT)
Select a mailbox
A1 SELECT INBOX
List messages
A1 FETCH 1:* (FLAGS)
A1 UID FETCH 1:* (FLAGS)
Retrieve Message Content
A1 FETCH 2 body[text]
A1 FETCH 2 all
A1 UID FETCH 102 (UID RFC822.SIZE BODY.PEEK[])
Close Mailbox
A1 CLOSE
Logout
A1 LOGOUT
Mabadiliko
IMAP (Internet Message Access Protocol) ni itifaki ya mtandao inayotumiwa na wateja wa barua pepe kuwasiliana na seva ya barua pepe. Ni moja wapo ya itifaki za kawaida zinazotumiwa kwa usambazaji wa barua pepe.
Kwa miaka, IMAP imepitia mabadiliko mengi ili kuboresha utendaji na usalama. Mabadiliko haya yamejumuisha:
- IMAPv4: Toleo la kwanza la IMAP lililotolewa mnamo 1986. Ilileta maboresho kadhaa kama vile uwezo wa kusimamia folda, kuweka alama kwenye ujumbe, na kuangalia hali ya ujumbe.
- IMAPv4rev1: Toleo hili lilikuwa la kwanza kufafanua itifaki ya IMAP kwa undani zaidi. Iliongeza msaada kwa vitambulisho vya ujumbe, uwezo wa kusawazisha folda, na uwezo wa kufuta ujumbe.
- IMAPv4bis: Toleo hili lilikuwa na mabadiliko makubwa katika muundo wa itifaki ya IMAP. Iliongeza msaada kwa utambuzi wa kiotomatiki wa ujumbe mpya, uwezo wa kusawazisha folda kwa wakati halisi, na maboresho mengine ya utendaji.
- IMAPv4rev2: Toleo hili lilikuwa na maboresho madogo ya kiufundi na iliongeza msaada kwa vitambulisho vya ujumbe vya kipekee.
- IMAPv4rev3: Toleo hili lilikuwa na mabadiliko zaidi katika muundo wa itifaki ya IMAP. Iliongeza msaada kwa ujumbe wa MIME, uwezo wa kusawazisha folda kwa wakati halisi, na maboresho mengine ya utendaji.
- IMAPv4rev4: Toleo hili lilikuwa na maboresho madogo ya kiufundi na iliongeza msaada kwa vitambulisho vya ujumbe vya kipekee.
Mabadiliko haya yamefanya IMAP kuwa itifaki yenye nguvu na yenye uwezo wa kushughulikia mahitaji ya wateja wa barua pepe. Ni muhimu kwa wataalamu wa uchunguzi wa usalama kuelewa mabadiliko haya ili kufanya uchunguzi wa usalama wa mifumo ya barua pepe.
apt install evolution
CURL
Utafutaji wa msingi unawezekana na CURL, lakini nyaraka zina maelezo machache sana, kwa hivyo ni vyema kuangalia chanzo kwa maelezo sahihi zaidi.
- Orodha ya sanduku la barua (amri ya imap
LIST "" "*")
curl -k 'imaps://1.2.3.4/' --user user:pass
- Orodhesha ujumbe katika sanduku la barua (amri ya imap
SELECT INBOXna kishaSEARCH ALL)
curl -k 'imaps://1.2.3.4/INBOX?ALL' --user user:pass
The result of this search is a list of message indicies.
Its also possible to provide more complex search terms. e.g. searching for drafts with password in mail body:
curl -k 'imaps://1.2.3.4/Drafts?TEXT password' --user user:pass
Tafsiri:
curl -k 'imaps://1.2.3.4/Drafts?TEXT password' --user user:pass
A nice overview of the search terms possible is located here.
- Downloading a message (imap command
SELECT Draftsand thenFETCH 1 BODY[])
curl -k 'imaps://1.2.3.4/Drafts;MAILINDEX=1' --user user:pass
The mail index will be the same index returned from the search operation.
It is also possible to use UID (unique id) to access messages, however it is less conveniant as the search command needs to be manually formatted. E.g.
```swahili
curl -k 'imaps://1.2.3.4/INBOX' -X 'UID SEARCH ALL' --user user:pass
curl -k 'imaps://1.2.3.4/INBOX;UID=1' --user user:pass
Tafsiri:
curl -k 'imaps://1.2.3.4/INBOX' -X 'TAFUTA YOTE YA UID' --user user:pass
curl -k 'imaps://1.2.3.4/INBOX;UID=1' --user user:pass
Also, possible to download just parts of a message, e.g. subject and sender of first 5 messages (the `-v` is required to see the subject and sender):
```bash
```markdown
```bash
$ curl -k 'imaps://1.2.3.4/INBOX' -X 'FETCH 1:5 BODY[HEADER.FIELDS (SUBJECT FROM)]' --user user:pass -v 2>&1 | grep '^<'
```bash
$ curl -k 'imaps://1.2.3.4/INBOX' -X 'FETCH 1:5 BODY[HEADER.FIELDS (SUBJECT FROM)]' --user user:pass -v 2>&1 | grep '^<'
Although, its probably cleaner to just write a little for loop:
```bash
for m in {1..5}; do
echo $m
curl "imap://1.2.3.4/INBOX;MAILINDEX=$m;SECTION=HEADER.FIELDS%20(SUBJECT%20FROM)" --user user:pass
done
kwa m in {1..5}; fanya
echo $m
curl "imap://1.2.3.4/INBOX;MAILINDEX=$m;SECTION=HEADER.FIELDS%20(SUBJECT%20FROM)" --user user:pass
done
## Shodan
* `port:143 CAPABILITY`
* `port:993 CAPABILITY`
## HackTricks Automatic Commands
Protocol_Name: IMAP #Protocol Abbreviation if there is one. Port_Number: 143,993 #Comma separated if there is more than one. Protocol_Description: Internet Message Access Protocol #Protocol Abbreviation Spelled out
Entry_1: Name: Maelezo Description: Maelezo kuhusu WHOIS Note: | Itifaki ya Ufikiaji wa Ujumbe wa Mtandao (IMAP) imeundwa kwa lengo la kuwezesha watumiaji kupata ujumbe wao wa barua pepe kutoka mahali popote, hasa kupitia uunganisho wa mtandao. Kimsingi, barua pepe zinahifadhiwa kwenye seva badala ya kupakuliwa na kuhifadhiwa kwenye kifaa cha mtu binafsi. Hii inamaanisha kuwa wakati barua pepe inapofikiwa au kusomwa, inafanyika moja kwa moja kutoka kwenye seva. Uwezo huu unaruhusu urahisi wa kuangalia barua pepe kutoka kwenye vifaa mbalimbali, kuhakikisha kuwa hakuna ujumbe unaopotea bila kujali kifaa kinachotumiwa.
https://book.hacktricks.xyz/pentesting/pentesting-imap
Entry_2: Name: Kukamata Bango Description: Kukamata Bango 143 Command: nc -nv {IP} 143
Entry_3: Name: Kukamata Bango Salama Description: Kukamata Bango 993 Command: openssl s_client -connect {IP}:993 -quiet
Entry_4: Name: Uchunguzi wa mfs bila kuhitaji kuanza msfconsole Description: Uchunguzi wa IMAP bila kuhitaji kuanza msfconsole Note: sourced from https://github.com/carlospolop/legion Command: msfconsole -q -x 'use auxiliary/scanner/imap/imap_version; set RHOSTS {IP}; set RPORT 143; run; exit'
<figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>
Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today.
{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>