Note

IMAP usually runs on port 163 (unencrypted) and encrypted in alternatives like 993 *POP3 usually runs on port 110 (unencrypted) and encrypted in alternatives like 995 *

โ‡’ Nice blog to read

Nmap scan

nmap 10.129.14.128 -sV -p110,143,993,995 -sC

HTB Cheatsheet

CommandDescription
curl -k 'imaps://<FQDN/IP>' --user <user>:<password>Log in to the IMAPS service using cURL.
openssl s_client -connect <FQDN/IP>:imapsConnect to the IMAPS service.
openssl s_client -connect <FQDN/IP>:pop3sConnect to the POP3s service.
curl -k --user robin:robin "imaps://10.129.220.71/DEV.DEPARTMENT.INT;UID=1"Extract a message from a specific share on IMAP.

IMAP Commands

CommandDescription
1 LOGIN username passwordUserโ€™s login.
1 LIST "" *Lists all directories.
1 CREATE "INBOX"Creates a mailbox with a specified name.
1 DELETE "INBOX"Deletes a mailbox.
1 RENAME "ToRead" "Important"Renames a mailbox.
1 LSUB "" *Returns a subset of names from the set of names that the User has declared as beingย activeย orย subscribed.
1 SELECT INBOXSelects a mailbox so that messages in the mailbox can be accessed.
1 UNSELECT INBOXExits the selected mailbox.
1 FETCH <ID> allRetrieves data associated with a message in the mailbox.
1 CLOSERemoves all messages with theย Deletedย flag set.
1 LOGOUTCloses the connection with the IMAP server.

POP3 Commands

CommandDescription
USER usernameIdentifies the user.
PASS passwordAuthentication of the user using its password.
STATRequests the number of saved emails from the server.
LISTRequests from the server the number and size of all emails.
RETR idRequests the server to deliver the requested email by ID.
DELE idRequests the server to delete the requested email by ID.
CAPARequests the server to display the server capabilities.
RSETRequests the server to reset the transmitted information.
QUITCloses the connection with the POP3 server.

You should check Footprinting Theory ๐ŸŒš to get further knowledge.