IMAP (143,993)


Cheat sheet

IMAP Enumeration Cheatsheet

CommandsDescription
sudo nmap -sV -p143,993 <target>Detect IMAP service and version
openssl s_client -connect <target>:993Connect to IMAP over SSL (port 993)
openssl s_client -starttls imap -connect <target>:143Upgrade plaintext IMAP to TLS using STARTTLS
telnet <target> 143Manual interaction over plaintext IMAP
nc <target> 143Netcat to connect for manual IMAP testing
curl -u user:pass imaps://<target>/ -kUse curl to test login to IMAP
swaks --server <target> --auth-user <user> --auth-password <pass> --protocol imapUse swaks for login tests
python3 imap_brute.py <target> <userlist> <passlist>Custom brute-force script (if needed)

NSE Scripts

find / -type f -name imap* 2>/dev/null | grep scripts

/usr/share/nmap/scripts/imap-brute.nse  
/usr/share/nmap/scripts/imap-ntlm-info.nse

IMAP (Internet Message Access Protocol) is used by mail clients to retrieve and manage emails stored on a mail server. Unlike POP3, it leaves messages on the server and supports folders, flags, and concurrent access.

• Port 143: IMAP (plaintext or STARTTLS)
• Port 993: IMAPS (implicit SSL)

IMAP Commands Reference

CommandDescription
1 LOGIN username passwordUser’s login
1 LIST "" *Lists all directories
1 CREATE "INBOX"Creates a mailbox with a specified name
1 DELETE "INBOX"Deletes a mailbox
1 RENAME "ToRead" "Important"Renames a mailbox
1 LSUB "" *Returns subscribed mailboxes
1 SELECT INBOXSelects a mailbox to access its messages
1 UNSELECT INBOXExits the selected mailbox
1 FETCH <ID> allRetrieves data from a message
1 CLOSEDeletes messages flagged as Deleted from the selected mailbox
1 LOGOUTCloses the connection with the IMAP server

IMAP