[110,143,993,995] IMAP/POP3 Enumeration

GUI Tools:

• Evolution: sudo apt-get install evolution

Note: If an error appears when starting evolution indicating "bwrap: Can't create file at ...", use this command to start evolution export WEBKIT_FORCE_SANDBOX=0 && evolution.

Automatic tools to enumerate

GitHub - dafthack/MailSniper: MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used as a non-administrative user to search their own email, or by an administrator to search the mailboxes of every user in a domain.GitHub

GitHub - 0xZDH/o365spray: Username enumeration and password spraying tool aimed at Microsoft O365.GitHub

GitHub - ustayready/CredKing: Password spraying using AWS Lambda for IP rotationGitHub

#Enumerate the service by using nmap
Intrusionz3r0X@htb[/htb]$ sudo nmap 10.129.14.128 -sV -p110,143,993,995 -sC

#Log in by using curl and list the folders
Intrusionz3r0X@htb[/htb]$ curl -k 'imaps://10.129.14.128' --user robin:robin -v

#Select the mailbox DEV.DEPARTMENT.INT and list ALL
Intrusionz3r0X@htb[/htb]$ curl -k 'imaps://10.129.42.195/DEV.DEPARTMENT.INT?ALL' --user robin:robin

#Read the email with index #1
Intrusionz3r0X@htb[/htb]$ curl -k 'imaps://10.129.42.195/DEV.DEPARTMENT.INT;MAILINDEX=1' --user robin:robin

#OpenSSL - TLS Encrypted Interaction POP3
Intrusionz3r0X@htb[/htb]$ openssl s_client -connect 10.129.14.128:pop3s

#OpenSSL - TLS Encrypted Interaction IMAP
Intrusionz3r0X@htb[/htb]$ openssl s_client -connect 10.129.14.128:imaps

#User enumeration
Intrusionz3r0X@htb[/htb]$ hydra -L users.txt -p 'Company01!' -f 10.10.110.20 pop3

#Manual user enumeration example
Intrusionz3r0X@htb[/htb]$ telnet 10.10.110.20 110

Trying 10.10.110.20...
Connected to 10.10.110.20.
Escape character is '^]'.
+OK POP3 Server ready

USER julio

-ERR

USER john

+OK

#Open Rely attack

Intrusionz3r0X@htb[/htb]# swaks --from notifications@inlanefreight.com --to employees@inlanefreight.com --header 'Subject: Company Notification' --body 'Hi All, we want to hear from you! Please complete the following survey. http://mycustomphishinglink.com/' --server 10.10.11.213

IMAP Commands

Command	Description
1 LOGIN username password	User's login.
1 LIST "" *	Lists all directories.
1 CREATE "INBOX"	Creates a mailbox with a specified name.
1 DELETE "INBOX"	Deletes a mailbox.
1 RENAME "ToRead" "Important"	Renames a mailbox.
1 LSUB "" *	Returns a subset of names from the set of names that the User has declared as being active or subscribed.
1 SELECT INBOX	Selects a mailbox so that messages in the mailbox can be accessed.
1 UNSELECT INBOX	Exits the selected mailbox.
1 FETCH <ID> all	Retrieves data associated with a message in the mailbox.
1 CLOSE	Removes all messages with the Deleted flag set.
1 LOGOUT	Closes the connection with the IMAP server.

POP3 Commands

Command	Description
USER username	Identifies the user.
PASS password	Authentication of the user using its password.
STAT	Requests the number of saved emails from the server.
LIST	Requests from the server the number and size of all emails.
RETR id	Requests the server to deliver the requested email by ID.
DELE id	Requests the server to delete the requested email by ID.
CAPA	Requests the server to display the server capabilities.
RSET	Requests the server to reset the transmitted information.
QUIT	Closes the connection with the POP3 server.