Email Services (IMAP/POP3)
Overview
IMAP and POP3 are email retrieval protocols that allow clients to access email messages stored on mail servers. During enumeration, these services can reveal valuable information about the organization, system configuration, and potentially provide access to email data.
Key Characteristics:
POP3: Port 110 (plain), 995 (SSL/TLS)
IMAP: Port 143 (plain), 993 (SSL/TLS)
Protocol: Text-based commands
Authentication: Username/password based
Encryption: STARTTLS or SSL/TLS
IMAP vs POP3 Differences
Email Storage
Server-side (emails remain on server)
Client-side (downloads to local)
Multi-device Access
Yes (synchronization across devices)
Limited (downloads remove from server)
Folder Management
Yes (hierarchical mailboxes)
No (single inbox only)
Offline Access
Limited (requires sync)
Full (emails downloaded locally)
Server Storage
Higher (emails stored on server)
Lower (emails removed after download)
Functionality
Advanced (search, flags, folders)
Basic (list, retrieve, delete)
Typical Usage
Modern email clients, webmail
Legacy systems, simple clients
Port Overview
POP3
110
Post Office Protocol v3 (plain text)
POP3S
995
POP3 over SSL/TLS
IMAP
143
Internet Message Access Protocol (plain text)
IMAPS
993
IMAP over SSL/TLS
Protocol Commands
IMAP Commands
1 LOGIN username password
User's login
1 LIST "" *
Lists all directories
1 CREATE "INBOX"
Creates a mailbox with specified name
1 DELETE "INBOX"
Deletes a mailbox
1 RENAME "ToRead" "Important"
Renames a mailbox
1 LSUB "" *
Returns subset of names from active/subscribed mailboxes
1 SELECT INBOX
Selects a mailbox for message access
1 UNSELECT INBOX
Exits the selected mailbox
1 FETCH <ID> all
Retrieves data associated with a message
1 CLOSE
Removes all messages with Deleted flag set
1 LOGOUT
Closes connection with IMAP server
POP3 Commands
USER username
Identifies the user
PASS password
Authentication of the user using password
STAT
Requests number of saved emails from server
LIST
Requests number and size of all emails
RETR id
Requests server to deliver requested email by ID
DELE id
Requests server to delete requested email by ID
CAPA
Requests server to display server capabilities
RSET
Requests server to reset transmitted information
QUIT
Closes connection with POP3 server
Dangerous Settings
IMAP/POP3 servers like Dovecot can be misconfigured, potentially exposing sensitive information:
auth_debug
Enables all authentication debug logging
High
auth_debug_passwords
Logs submitted passwords and schemes
Critical
auth_verbose
Logs unsuccessful authentication attempts and reasons
Medium
auth_verbose_passwords
Passwords used for authentication are logged
Critical
auth_anonymous_username
Username for ANONYMOUS SASL mechanism
Medium
Enumeration Techniques
1. Service Detection
# Nmap service detection
nmap -p110,143,993,995 -sV -sC target
# Comprehensive mail server enumeration
nmap -p110,143,993,995 --script imap-capabilities,pop3-capabilities target2. Banner Grabbing
# POP3 banner grabbing
telnet target 110
nc target 110
# IMAP banner grabbing
telnet target 143
nc target 1433. SSL Certificate Analysis
# Connect to IMAPS and analyze certificate
openssl s_client -connect target:993
# Connect to POP3S and analyze certificate
openssl s_client -connect target:995
# Show certificate details
openssl s_client -connect target:993 -showcerts
# Extract certificate information
openssl s_client -connect target:993 < /dev/null 2>/dev/null | openssl x509 -text4. Service Capabilities
# IMAP capability enumeration
telnet target 143
CAPABILITY
# POP3 capability enumeration
telnet target 110
CAPAAdvanced Enumeration
Using OpenSSL for Encrypted Connections
# Connect to IMAPS
openssl s_client -connect target:993
# Look for flags in server response: HTB{...}
# Connect to POP3S
openssl s_client -connect target:995
# Extract server information
# Connect with specific TLS version
openssl s_client -connect target:993 -tls1_2Using cURL for IMAP/POP3 Testing
# Basic IMAP connection with cURL
curl -k 'imaps://target' --user user:password
# IMAP with verbose output to see TLS details
curl -k 'imaps://target' --user cry0l1t3:1234 -v
# List IMAP folders
curl -k 'imaps://target' --user username:password -X 'LIST "" "*"'
# POP3 connection
curl -k 'pop3s://target' --user username:password
# POP3 with verbose output
curl -k 'pop3s://target' --user username:password -vExample cURL Verbose Output Analysis:
# cURL -v provides detailed TLS and protocol information:
curl -k 'imaps://target' --user cry0l1t3:1234 -v
# Key information extracted:
# * TLS version: TLSv1.3 / TLS_AES_256_GCM_SHA384
# * Certificate details:
# subject: C=US; ST=California; L=Sacramento; O=Inlanefreight;
# CN=mail1.inlanefreight.htb; emailAddress=cry0l1t3@inlanefreight.htb
# * Server banner: * OK [CAPABILITY...] HTB-Academy IMAP4 v.0.21.4
# * Available folders: Important, INBOXSSL Certificate Information Extraction
# Extract organization information
openssl s_client -connect target:993 2>/dev/null | grep -E "subject|issuer|commonName|organizationName"
# Example output analysis:
# Subject: commonName=dev.inlanefreight.htb/organizationName=InlaneFreight Ltd
# organizationName=InlaneFreight Ltd
# commonName=dev.inlanefreight.htbAuthentication Testing
# IMAP authentication
openssl s_client -connect target:993
tag0 LOGIN username password
# POP3 authentication
openssl s_client -connect target:995
USER username
PASS passwordIMAP Enumeration
Basic IMAP Commands
# Common IMAP commands
CAPABILITY # List server capabilities
LOGIN user pass # Authenticate user
LIST "" "*" # List all folders
SELECT folder # Select folder
FETCH n (BODY[]) # Fetch message body
LOGOUT # DisconnectIMAP Enumeration Session
# Connect to IMAPS
openssl s_client -connect target:993
# Authentication
tag0 LOGIN username password
# List folders
tag1 LIST "" "*"
# Select INBOX
tag2 SELECT "INBOX"
# Fetch first message
tag3 FETCH 1 (BODY[])POP3 Enumeration
Basic POP3 Commands
# Common POP3 commands
USER username # Specify username
PASS password # Specify password
LIST # List messages
RETR n # Retrieve message n
DELE n # Delete message n
QUIT # DisconnectPOP3 Enumeration Session
# Connect to POP3S
openssl s_client -connect target:995
# Authentication
USER username
PASS password
# List messages
LIST
# Retrieve first message
RETR 1Information Gathering
SSL Certificate Analysis
# Extract useful information from certificates
openssl s_client -connect target:993 2>/dev/null | grep -E "commonName|organizationName|stateOrProvinceName|countryName"
# Common certificate fields to analyze:
# - commonName: Server FQDN
# - organizationName: Company name
# - stateOrProvinceName: Location
# - countryName: Country codeEmail Header Analysis
# After connecting and authenticating, analyze email headers
tag3 FETCH 1 (BODY[HEADER])
# Look for:
# - Internal IP addresses
# - Server names
# - Email addresses
# - Routing informationPractical Examples
HTB Academy Style Enumeration
# Step 1: Service detection
nmap -p110,143,993,995 -sV -sC target
# Step 2: SSL certificate analysis
openssl s_client -connect target:993
# Extract: organizationName=InlaneFreight Ltd
# Extract: commonName=dev.inlanefreight.htb
# Step 3: Authentication with found credentials
openssl s_client -connect target:993
tag0 LOGIN robin robin
# Step 4: Folder enumeration
tag1 LIST "" "*"
# Step 5: Email content analysis
tag2 SELECT "INBOX"
tag3 FETCH 1 (BODY[])HTB Academy Lab Questions Examples
# Question 1: "Figure out the exact organization name from the IMAP/POP3 service"
nmap -p110,143,993,995 -sV -sC target
# Look at SSL certificate in output:
# Subject: commonName=mail1.inlanefreight.htb/organizationName=Inlanefreight
# Answer: Inlanefreight
# Question 2: "What is the FQDN that the IMAP and POP3 servers are assigned to?"
# From same SSL certificate:
# commonName=mail1.inlanefreight.htb
# Answer: mail1.inlanefreight.htb
# Question 3: "Enumerate the IMAP service and submit the flag"
openssl s_client -connect target:993
# Look for banner: * OK [CAPABILITY...] HTB-Academy IMAP4 v.0.21.4
# Extract flag from banner: HTB{...}
# Question 4: "What is the customized version of the POP3 server?"
openssl s_client -connect target:995
# Look for banner: +OK HTB-Academy POP3 Server
# Answer: HTB-Academy POP3 Server
# Question 5: "What is the admin email address?"
# From SSL certificate subject:
# emailAddress=cry0l1t3@inlanefreight.htb
# Answer: cry0l1t3@inlanefreight.htb
# Question 6: "Try to access the emails on the IMAP server and submit the flag"
openssl s_client -connect target:993
tag0 LOGIN robin robin
tag1 LIST "" "*"
tag2 SELECT "INBOX"
tag3 FETCH 1 (BODY[])
# Look for flag in email content: HTB{...}Custom Version Detection
# Connect to POP3 and grab custom version
telnet target 110
# Look for: +OK InFreight POP3 v9.188
# Connect to IMAP and grab custom version
telnet target 143
# Look for custom banners and capabilitiesCertificate Information Extraction
# Detailed certificate analysis from HTB Academy
openssl s_client -connect target:993 2>/dev/null | grep -E "subject|issuer"
# Example detailed output:
# subject: C=US; ST=California; L=Sacramento; O=Inlanefreight;
# OU=Customer Support; CN=mail1.inlanefreight.htb;
# emailAddress=cry0l1t3@inlanefreight.htb
#
# Extract all useful information:
# - Organization: Inlanefreight
# - FQDN: mail1.inlanefreight.htb
# - Admin email: cry0l1t3@inlanefreight.htb
# - Location: Sacramento, California, USSecurity Assessment
Common Vulnerabilities
Weak Authentication: Default or weak passwords
Plaintext Transmission: Unencrypted connections
Information Disclosure: Verbose error messages
Certificate Issues: Self-signed or invalid certificates
Authentication Testing
# Test common credentials
USER admin
PASS admin
USER root
PASS root
# Test with discovered usernames
USER discovered_user
PASS common_passwordEnumeration Checklist
Initial Discovery
Information Gathering
Authentication Testing
Content Analysis
Tools and Techniques
Essential Tools
# Manual testing
telnet # Basic connection testing
nc # Banner grabbing
openssl # SSL/TLS connection testing
# Automated enumeration
nmap # Service detection and scripts
smtp-user-enum # Can also test IMAP/POP3 in some casesCustom Scripts
# IMAP banner grabber
#!/bin/bash
echo "CAPABILITY" | nc $1 143
# POP3 banner grabber
#!/bin/bash
echo "CAPA" | nc $1 110
# SSL certificate extractor
#!/bin/bash
openssl s_client -connect $1:993 2>/dev/null | openssl x509 -text | grep -E "Subject|Issuer"Defensive Measures
Secure Configuration
# Disable plaintext authentication
# In dovecot.conf:
auth_mechanisms = plain login
disable_plaintext_auth = yes
# Force SSL/TLS
ssl = required
ssl_cert = </path/to/cert.pem
ssl_key = </path/to/key.pemBest Practices
Enforce SSL/TLS: Disable plaintext protocols
Strong Authentication: Implement strong password policies
Rate Limiting: Prevent brute force attacks
Monitoring: Log authentication attempts
Certificate Management: Use valid certificates
Detection and Monitoring
# Monitor mail server logs
tail -f /var/log/maillog
# Check for authentication failures
grep "authentication failure" /var/log/maillog
grep "Login failed" /var/log/maillogCommon Attack Vectors
1. Credential Brute Force
# Manual testing
for user in admin root test; do
for pass in admin password 123456; do
# Test credentials
done
done2. Information Disclosure
Server version information
Internal network details
Email addresses and contacts
Organizational structure
3. Man-in-the-Middle
Intercept plaintext connections
Certificate validation bypass
Credential harvesting
Last updated