CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/auxiliary/scanner/imap/imap_version.md
Views: 11788

Description

This module identifies the version of IMAP in use by the server, as well as some of the login options. Any IMAP sever should return this information.

Vulnerable Application

Install Dovecot on Kali Linux:

With this install, we'll only install IMAP for dovecot, as the other protocols are not required. However, this is unrealistic in a production environment.

  1. sudo apt-get install dovecot-imapd

  2. /etc/init.d/dovecot start

Verification Steps

  1. Do: use auxiliary/scanner/imap/imap_version

  2. Do: set rhosts [ips]

  3. Do: run

Options

IMAPPASS

A password for an IMAP account.

IMAPUSER

A username for an IMAP account.

Scenarios

Dovecot 2.3.2 (582970113) on Kali

msf5 > use auxiliary/scanner/imap/imap_version 
msf5 auxiliary(scanner/imap/imap_version) > set rhosts 10.168.202.216
rhosts => 10.168.202.216
msf5 auxiliary(scanner/imap/imap_version) > run

[+] 10.168.202.216:143    - 10.168.202.216:143 IMAP * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS AUTH=PLAIN] Dovecot (Debian) ready.\x0d\x0a
[*] 10.168.202.216:143    - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Confirming

nmap

# nmap -p 143 -sV -script=imap-capabilities 10.168.202.216
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-11 18:43 EDT
Nmap scan report for 10.168.202.216
Host is up (0.000044s latency).

PORT    STATE SERVICE VERSION
143/tcp open  imap    Dovecot imapd
|_imap-capabilities: LITERAL+ more AUTH=PLAINA0001 IDLE have LOGIN-REFERRALS ENABLE OK Pre-login listed capabilities post-login ID STARTTLS IMAP4rev1 SASL-IR