Skip to main content

IMAP - 143/993

The Internet Message Access Protocol (IMAP) is a protocol used by email clients to retrieve and manage email messages stored on a mail server. Unlike POP3, IMAP allows multiple devices to access the same mailbox, keeping emails on the server and enabling synchronization across clients.

  • Default port: 143, 993

Enumeration

# Nmap service/version detection + default scripts
sudo nmap -sV -sC -p 143,993 10.10.10.10

# Check plain-text IMAP connection
telnet 10.10.10.10 143

# Secure connection (IMAPS)
openssl s_client -connect 10.10.10.10:993

# Test login with curl
curl --url imap://10.10.10.10/ --user 'user:pass'

# Brute-force login
hydra -L users.txt -P passwords.txt imap://10.10.10.10

# List supported capabilities (e.g. STARTTLS)
nmap --script imap-capabilities -p 143 10.10.10.10

Exploitation

# Login (plain-text)
a LOGIN user@example.com password

# List mailboxes
a LIST "" "*"

# Select inbox and fetch headers
a SELECT INBOX
a FETCH 1:* (FLAGS BODY[HEADER.FIELDS (FROM SUBJECT)])

# Fetch full emails
a FETCH 1:* BODY[]

# Use tool to dump inbox
# 1: https://github.com/polo2ro/imapbox
# 2: https://github.com/yankeguo/imapdump
# 3: https://gist.github.com/polo2ro/e142e164a327ee576321