14 KiB
143,993 - Pentesting IMAP
☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
-
你在网络安全公司工作吗?想要在HackTricks中看到你的公司广告吗?或者你想要获取PEASS的最新版本或下载HackTricks的PDF吗?请查看订阅计划!
-
发现我们的独家NFTs收藏品——The PEASS Family
-
加入💬 Discord群组 或者 telegram群组 或者关注我在Twitter上的🐦@carlospolopm.
-
通过向hacktricks repo和hacktricks-cloud repo提交PR来分享你的黑客技巧。
找到最重要的漏洞,以便您可以更快地修复它们。Intruder跟踪您的攻击面,运行主动威胁扫描,发现整个技术堆栈中的问题,从API到Web应用程序和云系统。立即免费试用。
{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
Internet消息访问协议
正如其名称所示,IMAP允许您在任何地方访问您的电子邮件;大部分时间,它通过互联网进行访问。基本上,电子邮件消息存储在服务器上。每当您检查收件箱时,您的电子邮件客户端会联系服务器,将您与您的消息连接起来。当您使用IMAP阅读电子邮件时,您实际上并没有将其下载或存储在计算机上;相反,您是从服务器上阅读它。因此,您可以使用多个不同的设备检查电子邮件,而不会错过任何内容。
默认情况下,IMAP协议在两个端口上工作:
- 端口143 - 这是默认的IMAP非加密端口
- 端口993 - 如果您想要使用IMAP安全连接,则需要使用此端口
PORT STATE SERVICE REASON
143/tcp open imap syn-ack
横幅抓取
Banner grabbing(横幅抓取)是一种用于获取目标主机上运行的网络服务版本信息的技术。在渗透测试中,横幅抓取是一项重要的任务,因为它可以帮助我们了解目标系统上运行的服务及其版本号。
横幅抓取的过程通常涉及向目标主机发送特定的网络请求,以获取服务的响应。这些响应通常包含有关服务的详细信息,如服务名称、版本号和其他相关信息。通过分析这些响应,我们可以确定目标主机上运行的服务及其版本,从而为后续的渗透测试活动提供有价值的信息。
横幅抓取可以使用多种工具和技术来实现。常用的工具包括Telnet、Netcat和Nmap等。这些工具可以通过发送特定的请求来获取服务的响应,并将响应中的信息提取出来进行分析。
在进行横幅抓取时,需要注意以下几点:
- 选择合适的工具和技术,以确保能够准确地获取服务的版本信息。
- 遵守法律和道德规范,在进行横幅抓取时不要侵犯目标系统的合法权益。
- 将横幅抓取的结果与其他信息进行综合分析,以获取更全面的目标系统信息。
通过横幅抓取,渗透测试人员可以更好地了解目标系统上运行的网络服务及其版本信息,从而为后续的渗透测试活动提供有价值的线索和信息。
nc -nv <IP> 143
openssl s_client -connect <IP>:993 -quiet
NTLM身份验证 - 信息泄露
如果服务器支持NTLM身份验证(Windows),您可以获取敏感信息(版本):
root@kali: telnet example.com 143
* OK The Microsoft Exchange IMAP4 service is ready.
>> a1 AUTHENTICATE NTLM
+
>> TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
+ TlRMTVNTUAACAAAACgAKADgAAAAFgooCBqqVKFrKPCMAAAAAAAAAAEgASABCAAAABgOAJQAAAA9JAEkAUwAwADEAAgAKAEkASQBTADAAMQABAAoASQBJAFMAMAAxAAQACgBJAEkAUwAwADEAAwAKAEkASQBTADAAMQAHAAgAHwMI0VPy1QEAAAAA
或者使用nmap插件imap-ntlm-info.nse来自动化此过程。
IMAP暴力破解
语法
Login
A1 LOGIN username password
Values can be quoted to enclose spaces and special characters. A " must then be escape with a \
A1 LOGIN "username" "password"
List Folders/Mailboxes
A1 LIST "" *
A1 LIST INBOX *
A1 LIST "Archive" *
Create new Folder/Mailbox
A1 CREATE INBOX.Archive.2012
A1 CREATE "To Read"
Delete Folder/Mailbox
A1 DELETE INBOX.Archive.2012
A1 DELETE "To Read"
Rename Folder/Mailbox
A1 RENAME "INBOX.One" "INBOX.Two"
List Subscribed Mailboxes
A1 LSUB "" *
Status of Mailbox (There are more flags than the ones listed)
A1 STATUS INBOX (MESSAGES UNSEEN RECENT)
Select a mailbox
A1 SELECT INBOX
List messages
A1 FETCH 1:* (FLAGS)
A1 UID FETCH 1:* (FLAGS)
Retrieve Message Content
A1 FETCH 2 body[text]
A1 FETCH 2 all
A1 UID FETCH 102 (UID RFC822.SIZE BODY.PEEK[])
Close Mailbox
A1 CLOSE
Logout
A1 LOGOUT
从这里开始
进化
IMAP is a widely-used protocol for accessing email. It is commonly used by email clients to retrieve messages from a mail server. IMAP allows users to access their email from multiple devices and keeps the email synchronized across all devices.
IMAP是一种广泛使用的用于访问电子邮件的协议。它通常被电子邮件客户端用于从邮件服务器检索邮件。IMAP允许用户从多个设备访问其电子邮件,并在所有设备上保持电子邮件同步。
Evolution is an open-source email client that supports the IMAP protocol. It is available for Linux and Unix-like operating systems. Evolution provides a user-friendly interface for managing email accounts and has features such as email filtering, search, and encryption.
Evolution是一个支持IMAP协议的开源电子邮件客户端。它适用于Linux和类Unix操作系统。Evolution提供了一个用户友好的界面来管理电子邮件帐户,并具有诸如电子邮件过滤、搜索和加密等功能。
IMAP Pentesting
When conducting a penetration test on an IMAP server, there are several areas that can be targeted for vulnerabilities. These include:
- User enumeration: Attackers can attempt to enumerate valid usernames on the server by brute-forcing or using other techniques.
- Password guessing: Attackers can try to guess weak passwords for user accounts on the server.
- Man-in-the-middle attacks: Attackers can intercept and modify the communication between the email client and the server to gain unauthorized access or steal sensitive information.
- Command injection: Attackers can exploit vulnerabilities in the IMAP server software to execute arbitrary commands on the server.
- Denial of Service (DoS) attacks: Attackers can overload the server with a large number of requests, causing it to become unresponsive or crash.
IMAP Pentesting Tools
There are several tools available for pentesting IMAP servers. Some popular ones include:
- Nmap: A network scanning tool that can be used to discover open IMAP ports on a server.
- Hydra: A password cracking tool that can be used to guess weak passwords for IMAP accounts.
- Wireshark: A network protocol analyzer that can be used to capture and analyze the traffic between the email client and the server.
- Metasploit: A penetration testing framework that includes modules for testing IMAP servers for vulnerabilities.
- OWASP ZAP: An open-source web application security scanner that can be used to test the security of web-based email clients that use IMAP.
Conclusion
IMAP is a widely-used protocol for accessing email, and it is important to ensure the security of IMAP servers. By conducting penetration tests and using appropriate tools, vulnerabilities can be identified and mitigated, helping to protect sensitive information and prevent unauthorized access.
apt install evolution
CURL
使用CURL可以进行基本的导航,但是文档中缺乏详细信息,因此建议查看源代码以获取精确的细节。
- 列出邮箱(imap命令
LIST "" "*")
$ curl -k 'imaps://1.2.3.4/' --user user:pass
- 列出邮箱中的邮件(imap命令
SELECT INBOX然后SEARCH ALL)
$ curl -k 'imaps://1.2.3.4/INBOX?ALL' --user user:pass
这个搜索的结果是一组邮件索引。
也可以提供更复杂的搜索条件。例如,在邮件正文中搜索带有密码的草稿:
$ curl -k 'imaps://1.2.3.4/Drafts?TEXT password' --user user:pass
可以在这里找到搜索条件的详细概述。
3. 下载邮件(imap命令 SELECT Drafts 然后 FETCH 1 BODY[])
$ curl -k 'imaps://1.2.3.4/Drafts;MAILINDEX=1' --user user:pass
邮件索引将与搜索操作返回的索引相同。
也可以使用UID(唯一标识符)来访问邮件,但是这种方式不太方便,因为搜索命令需要手动格式化。例如,
$ curl -k 'imaps://1.2.3.4/INBOX' -X 'UID SEARCH ALL' --user user:pass
$ curl -k 'imaps://1.2.3.4/INBOX;UID=1' --user user:pass
此外,还可以下载消息的部分内容,例如前5条消息的主题和发件人(需要使用-v参数才能看到主题和发件人):
$ curl -k 'imaps://1.2.3.4/INBOX' -X 'FETCH 1:5 BODY[HEADER.FIELDS (SUBJECT FROM)]' --user user:pass -v 2>&1 | grep '^<'
虽然,只需编写一个简单的for循环可能更简洁:
for m in {1..5}; do
echo $m
curl "imap://1.2.3.4/INBOX;MAILINDEX=$m;SECTION=HEADER.FIELDS%20(SUBJECT%20FROM)" --user user:pass
done
Shodan
port:143 CAPABILITYport:993 CAPABILITY
HackTricks 自动命令
Protocol_Name: IMAP #Protocol Abbreviation if there is one.
Port_Number: 143,993 #Comma separated if there is more than one.
Protocol_Description: Internet Message Access Protocol #Protocol Abbreviation Spelled out
Entry_1:
Name: Notes
Description: Notes for WHOIS
Note: |
As its name implies, IMAP allows you to access your email messages wherever you are; much of the time, it is accessed via the Internet. Basically, email messages are stored on servers. Whenever you check your inbox, your email client contacts the server to connect you with your messages. When you read an email message using IMAP, you aren't actually downloading or storing it on your computer; instead, you are reading it off of the server. As a result, it's possible to check your email from several different devices without missing a thing.
https://book.hacktricks.xyz/pentesting/pentesting-imap
Entry_2:
Name: Banner Grab
Description: Banner Grab 143
Command: nc -nv {IP} 143
Entry_3:
Name: Secure Banner Grab
Description: Banner Grab 993
Command: openssl s_client -connect {IP}:993 -quiet
Entry_4:
Name: consolesless mfs enumeration
Description: IMAP enumeration without the need to run msfconsole
Note: sourced from https://github.com/carlospolop/legion
Command: msfconsole -q -x 'use auxiliary/scanner/imap/imap_version; set RHOSTS {IP}; set RPORT 143; run; exit'
找到最重要的漏洞,以便您能更快地修复它们。Intruder跟踪您的攻击面,运行主动威胁扫描,发现整个技术堆栈中的问题,从API到Web应用程序和云系统。立即免费试用。
{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
☁️ HackTricks云 ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
-
您在网络安全公司工作吗?您想在HackTricks中看到您的公司广告吗?或者您想获得PEASS的最新版本或下载PDF格式的HackTricks吗?请查看订阅计划!
-
发现我们的独家NFTs收藏品- The PEASS Family
-
加入💬 Discord群组或电报群组,或在Twitter上关注我🐦@carlospolopm。
-
通过向hacktricks repo和hacktricks-cloud repo提交PR来分享您的黑客技巧。