NMAP
Footprinting the Service
1
sudo nmap -p110,143,993,995 -sCV -Pn -n -vvv 10.129.95.171
Connect to the IMAPS/POP3s service
1
2
openssl s_client -connect <FQDN/IP>:imaps Connect to the IMAPS service.
openssl s_client -connect <FQDN/IP>:pop3s Connect to the POP3s service.
Authentication
Log in to the IMAPS service using cURL.
1
curl -k 'imaps://<FQDN/IP>' --user <user>:<password>
Retrieving a mail
Steps to interact with IMAPS inbox via openssl 1) Connect to the IMAP service via openssl:
1
2
3
4
5
6
7
openssl s_client -connect 10.129.95.171:993
CONNECTED(00000003)1
.........
<SNIP>
.........
read R BLOCK
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN] HTB{roncfbw7iszerd7shni7jr2343zhrj}
2) Once connected we need to authenticate with 1 LOGIN <user> <pass>
1
2
1 LOGIN robin robin
1 OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SNIPPET=FUZZY PREVIEW=FUZZY LITERAL+ NOTIFY SPECIAL-USE] Logged in
3) Show namespaces
1
2
3
n namespace
* NAMESPACE (("" ".")) NIL NIL
n OK Namespace completed (0.001 + 0.000 secs).
4) List the only namespace (“”)
1
2
3
4
5
6
1 LIST "" *
* LIST (\Noselect \HasChildren) "." DEV
* LIST (\Noselect \HasChildren) "." DEV.DEPARTMENT
* LIST (\HasNoChildren) "." DEV.DEPARTMENT.INT
* LIST (\HasNoChildren) "." INBOX
1 OK List completed (0.001 + 0.000 secs).
5) Selecting one of the inboxes, in this case the ones with “HasNoChildren”
1
2
3
4
5
6
7
8
1 SELECT DEV.DEPARTMENT.INT
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted.
* 1 EXISTS
* 0 RECENT
* OK [UIDVALIDITY 1636414279] UIDs valid
* OK [UIDNEXT 2] Predicted next UID
1 OK [READ-WRITE] Select completed (0.001 + 0.000 secs).
6) Now retrieving only the Subject with f fetch 1:1 (BODY[HEADER.FIELDS (Subject)]) this 1:1 is because there is only 1 EXISTS in the inbox if there was 4 EXISTS the command should look like this f fetch 1:4 (BODY[HEADER.FIELDS (Subject)])
1
2
3
4
5
6
f fetch 1:1 (BODY[HEADER.FIELDS (Subject)])
* 1 FETCH (BODY[HEADER.FIELDS (SUBJECT)] {17}
Subject: Flag
)
f OK Fetch completed (0.004 + 0.000 + 0.003 secs).
7) We can also search UNSEEN emails:
1
2
3
s search UNSEEN
* SEARCH
s OK Search completed (0.001 + 0.000 secs).
8) Finally to check the mails we can fetch the data with the email’s number as follows 1 fetch 1 RFC822
1
2
3
4
5
6
7
8
9
10
F1 fetch 1 RFC822
* 1 FETCH (RFC822 {167}
Subject: Flag
To: Robin <robin@inlanefreight.htb>
From: CTO <devadmin@inlanefreight.htb>
Date: Wed, 03 Nov 2021 16:13:27 +0200
HTB{983uzn8jmfgpd8jmof8c34n7zio}
)
F1 OK Fetch completed (0.001 + 0.000 secs).
IMAP Commands
| Command | Description | |——–|——-| |1 LOGIN username password | User’s login. | |1 LIST “” * | Lists all directories. | |1 CREATE “INBOX” | Creates a mailbox with a specified name. | |1 DELETE “INBOX” | Deletes a mailbox. | |1 RENAME “ToRead” “Important” | Renames a mailbox. | |1 LSUB “” * | Returns a subset of names from the set of names that the User has declared as being active or subscribed. | |1 SELECT INBOX | Selects a mailbox so that messages in the mailbox can be accessed. | |1 UNSELECT INBOX | Exits the selected mailbox. | |1 FETCH
POP3 Commands
|Command | Description | |——–|——-| |USER username | Identifies the user. | |PASS password | Authentication of the user using its password. | |STAT | Requests the number of saved emails from the server. | |LIST | Requests from the server the number and size of all emails. | |RETR id | Requests the server to deliver the requested email by ID. | |DELE id | Requests the server to delete the requested email by ID. | |CAPA | Requests the server to display the server capabilities. | |RSET | Requests the server to reset the transmitted information. | |QUIT | Closes the connection with the POP3 server. |