[110,143,993,995] IMAP/POP3 Enumeration

GUI Tools:

Evolution: sudo apt-get install evolution

Note: If an error appears when starting evolution indicating "bwrap: Can't create file at ...", use this command to start evolution export WEBKIT_FORCE_SANDBOX=0 && evolution.

Automatic tools to enumerate

GitHub - dafthack/MailSniper: MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used as a non-administrative user to search their own email, or by an administrator to search the mailboxes of every user in a domain.GitHub

GitHub - 0xZDH/o365spray: Username enumeration and password spraying tool aimed at Microsoft O365.GitHub

GitHub - ustayready/CredKing: Password spraying using AWS Lambda for IP rotationGitHub


#Enumerate the service by using nmap
Intrusionz3r0X@htb[/htb]$ sudo nmap 10.129.14.128 -sV -p110,143,993,995 -sC

#Log in by using curl and list the folders
Intrusionz3r0X@htb[/htb]$ curl -k 'imaps://10.129.14.128' --user robin:robin -v

#Select the mailbox DEV.DEPARTMENT.INT and list ALL
Intrusionz3r0X@htb[/htb]$ curl -k 'imaps://10.129.42.195/DEV.DEPARTMENT.INT?ALL' --user robin:robin

#Read the email with index #1
Intrusionz3r0X@htb[/htb]$ curl -k 'imaps://10.129.42.195/DEV.DEPARTMENT.INT;MAILINDEX=1' --user robin:robin

#OpenSSL - TLS Encrypted Interaction POP3
Intrusionz3r0X@htb[/htb]$ openssl s_client -connect 10.129.14.128:pop3s

#OpenSSL - TLS Encrypted Interaction IMAP
Intrusionz3r0X@htb[/htb]$ openssl s_client -connect 10.129.14.128:imaps

#User enumeration
Intrusionz3r0X@htb[/htb]$ hydra -L users.txt -p 'Company01!' -f 10.10.110.20 pop3

#Manual user enumeration example
Intrusionz3r0X@htb[/htb]$ telnet 10.10.110.20 110

Trying 10.10.110.20...
Connected to 10.10.110.20.
Escape character is '^]'.
+OK POP3 Server ready

USER julio

-ERR

USER john

+OK

#Open Rely attack

Intrusionz3r0X@htb[/htb]# swaks --from notifications@inlanefreight.com --to employees@inlanefreight.com --header 'Subject: Company Notification' --body 'Hi All, we want to hear from you! Please complete the following survey. http://mycustomphishinglink.com/' --server 10.10.11.213

IMAP Commands

Command

Description

1 LOGIN username password

User's login.

1 LIST "" *

Lists all directories.

1 CREATE "INBOX"

Creates a mailbox with a specified name.

1 DELETE "INBOX"

Deletes a mailbox.

1 RENAME "ToRead" "Important"

Renames a mailbox.

1 LSUB "" *

Returns a subset of names from the set of names that the User has declared as being active or subscribed.

1 SELECT INBOX

Selects a mailbox so that messages in the mailbox can be accessed.

1 UNSELECT INBOX

Exits the selected mailbox.

1 FETCH <ID> all

Retrieves data associated with a message in the mailbox.

1 CLOSE

Removes all messages with the Deleted flag set.

1 LOGOUT

Closes the connection with the IMAP server.

POP3 Commands

Command

Description

USER username

Identifies the user.

PASS password

Authentication of the user using its password.

STAT

Requests the number of saved emails from the server.

LIST

Requests from the server the number and size of all emails.

RETR id

Requests the server to deliver the requested email by ID.

DELE id

Requests the server to delete the requested email by ID.

CAPA

Requests the server to display the server capabilities.

RSET

Requests the server to reset the transmitted information.

QUIT

Closes the connection with the POP3 server.

Previous[80 443] HTTP HTTPS Next[111,2049] Network File System

Last updated 1 year ago