IMAP (143, 993)

IMAP (Internet Message Access Protocol) is a protocol used by email clients to retrieve messages from a mail server over a TCP/IP connection. Unlike POP3, which downloads messages to the client device, IMAP allows users to view and manipulate messages without downloading them, providing more flexibility and functionality.

IMAP operates on a client-server model, where the email client connects to the server and interacts with it to manage email messages.

https://github.com/0bfxgh0st/MMG-LO/

Connect Using Telnet

telnet <server-ip> <port>   

Banner grabbing

telnet <server-ip> <port>

Enumeration

Just use this for syntax. Makes life very easy.
https://hacktricks.boitatech.com.br/pentesting/pentesting-imap

List available mailboxes

LIST "" *

Enumerating email headers

FETCH 1 BODY[HEADER.FIELDS (FROM TO SUBJECT DATE)]

Brute Force Attacks​

Brute force attacks can be attempted against IMAP servers to guess usernames and passwords. Tools like Hydra and Nmap can be used for this purpose.

hydra -L users.txt -P passwords.txt imap://<server-ip>

nmap --script imap-brute -p 143,993 <target-ip>

IMAP Injection​

IMAP injection attacks involve injecting malicious commands or data into IMAP requests to exploit vulnerabilities in the server software or gain unauthorized access to email accounts.

Man-in-the-Middle (MitM) Attacks​

MitM attacks on IMAP traffic can intercept and modify email messages exchanged between the client and server, compromising the confidentiality and integrity of email communication.

Further Links

https://hackviser.com/tactics/pentesting/services/imap
https://hacktricks.boitatech.com.br/pentesting/pentesting-imap
https://banua.medium.com/proving-grounds-hepet-oscp-prep-2025-practice-17-3bdc3ad86495