Notes
Notes
| Alternative Ports |
|---|
| 143 TCP (IMAP plaintext) |
| 993 TCP (IMAPS over SSL) |
Service Description
IMAP (Internet Message Access Protocol) allows clients to access and manipulate email messages on a mail server in real-time. Unlike POP3, IMAP keeps email on the server, supporting multiple simultaneous clients and folder structures. Port 143 is plaintext; port 993 uses SSL/TLS.
IMAP on port 143 transmits credentials and email content in plaintext unless STARTTLS is enforced.
Attacks
Cleartext Credential Sniffing (143)
Unencrypted USER/PASS can be captured during authentication.
Weak Auth / Bruteforce
Common on misconfigured or legacy email infrastructure.
Mailbox Pivoting / Credential Harvesting
Harvest creds or sensitive info from inboxes.
Credential Reuse
Often reused for SMTP, VPN, or corporate SSO.
Tools & Exploits
Enumeration
nmap
nmap -sV -p143,993 --script=imap-capabilities,imap-brute <target>openssl / telnet
# Plaintext IMAP
openssl s_client -connect <target>:143 -starttls imap
telnet <target> 143
# SSL/TLS IMAPS
openssl s_client -connect <target>:993hydra
hydra -L users.txt -P passwords.txt imap://<target>msfconsole
use auxiliary/scanner/imap/imap_loginExploitation or Post-Enum
Access Mailbox After logging in:
A1 LOGIN user@example.com pass123
A2 LIST "" "*"
A3 SELECT INBOX
A4 FETCH 1:* BODY[TEXT]Harvest Sensitive Data Look for passwords, links, internal IPs, or OTPs in inbox.
Leverage for Lateral Movement Try IMAP creds for SMTP/SMB/VPN if re-use suspected.
Sniffing
tcpdump -i eth0 port 143 -AWireshark Analysis Tips
Filters
tcp.port == 143 || tcp.port == 993
imapWhat to look for:
- LOGIN commands with cleartext creds (143)
- FETCH/LIST/SELECT interactions
- Attachment data or internal message headers
Email Header Analysis
- Use
FETCH 1 BODY[HEADER]to view raw headers - Extract useful data:
Received:headers show internal routingMessage-ID,Return-Path,User-Agentmay reveal system/user metadataFrom:andReply-To:for impersonation checks or phishing context