IMAP / POP3 Enumeration Cheatsheet

Default Ports:

IMAP: 143 (plain), 993 (SSL/TLS)
POP3: 110 (plain), 995 (SSL/TLS)

nc -nv <ip> 110                              # POP3
nc -nv <ip> 143                              # IMAP
openssl s_client -connect <ip>:993           # IMAPS
openssl s_client -connect <ip>:995           # POP3S
openssl s_client -connect <ip>:143 -starttls imap   # STARTTLS IMAP

POP3 Commands (Manual)

USER <username>
PASS <password>
STAT                    # Mailbox stats (message count, total size)
LIST                    # List all messages with sizes
LIST <n>                # Info for message n
RETR <n>                # Retrieve (download) message n
DELE <n>                # Mark message n for deletion
TOP <n> <lines>         # Retrieve headers + first N lines of message n
UIDL                    # Unique ID listing for all messages
NOOP                    # Keep-alive
RSET                    # Unmark any deletions
QUIT                    # Commit deletes and disconnect

IMAP Commands (Manual)

a LOGIN <user> <pass>
a CAPABILITY                         # Show server capabilities
a LIST "" "*"                        # List all mailboxes
a SELECT INBOX                       # Select inbox
a STATUS INBOX (MESSAGES UNSEEN)     # Inbox stats
a FETCH 1:* (FLAGS)                  # List messages with flags
a FETCH 1 (BODY[])                   # Download full message 1
a FETCH 1 (BODY[HEADER])             # Headers only
a FETCH 1 (BODY[TEXT])               # Body only
a SEARCH ALL                         # Search all messages
a SEARCH UNSEEN                      # Search unread messages
a EXAMINE INBOX                      # Read-only select
a LOGOUT

Nmap Scripts

nmap -p 110,143,993,995 --script imap-capabilities <ip>
nmap -p 110,143,993,995 --script pop3-capabilities <ip>
nmap -p 110 --script pop3-brute <ip>
nmap -p 143 --script imap-brute <ip>
nmap -p 993,995 --script imap-ntlm-info <ip>    # Windows NTLM info leak

Brute Force

hydra -l <user> -P wordlist.txt imap://<ip>
hydra -l <user> -P wordlist.txt pop3://<ip>
hydra -l <user> -P wordlist.txt -s 993 -S imap://<ip>    # IMAPS
hydra -l <user> -P wordlist.txt -s 995 -S pop3://<ip>    # POP3S

curl Mail Access

# List mailboxes
curl -k 'imaps://<ip>' --user <user>:<pass>

# List INBOX contents
curl -k 'imaps://<ip>/INBOX' --user <user>:<pass>

# Read specific message
curl -k 'imaps://<ip>/INBOX;MAILINDEX=1' --user <user>:<pass>

# POP3 via curl
curl -k 'pop3s://<ip>' --user <user>:<pass>
curl -k 'pop3s://<ip>/1' --user <user>:<pass>    # Download message 1

IMAP POP3

IMAP / POP3 Enumeration Cheatsheet

Banner Grabbing

POP3 Commands (Manual)

IMAP Commands (Manual)

Nmap Scripts

Brute Force

curl Mail Access

IMAP / POP3 Enumeration Cheatsheet#

Banner Grabbing#

POP3 Commands (Manual)#

IMAP Commands (Manual)#

Nmap Scripts#

Brute Force#

curl Mail Access#

IMAP / POP3 Enumeration Cheatsheet

Banner Grabbing

POP3 Commands (Manual)

IMAP Commands (Manual)

Nmap Scripts

Brute Force

curl Mail Access