SMTP
nmap
& smtp-enum
smtp-user-enum -M VRFY -U /userlist.txt -w 20 -t xxx.xxx.xxx.xxx
POP3, IMAP et al
sudo nmap 10.129.14.128 -sV -p110,143,993,995 -sC
SSL openssl
openssl s_client -connect 10.129.14.128:pop3s
openssl s_client -connect 10.129.14.128:imaps
CURLcurl -k 'imaps://10.129.14.128' --user cry0l1t3:1234 -v
POP3 Commands
| Command | Description |
|---|---|
USER username |
Identifies the user. |
PASS password |
Authentication of the user using its password. |
STAT |
Requests the number of saved emails from the server. |
LIST |
Requests from the server the number and size of all emails. |
RETR id |
Requests the server to deliver the requested email by ID. |
DELE id |
Requests the server to delete the requested email by ID. |
CAPA |
Requests the server to display the server capabilities. |
RSET |
Requests the server to reset the transmitted information. |
QUIT |
Closes the connection with the POP3 server. |
USER – Your POP3 user name
PASS – Your password
STAT – Responds with number of messages in maildrop and size of mail drop in octets.
LIST msg – If an argument is entered information on that message is returned. If no argument is entered then information on all messages are listed. Useful if you need to know number and size of messages in mail drop.
RETR msg – Message is listed.
DELE msg – Message is marked for deletion.
Remember to use the QUIT command when finished so messages are deleted.
NOOP – Does nothing, simply returns a positive response.
RSET – If messages have been marked for deletion they are unmarked.
TOP msg n – Returns header information for message and returns the number of lines of the message body represented by n.
UIDL msg – Returns message number and a Unique message ID Listing.
POP3 protocol commands
POP3 protocol (RFC 1939) is intended for managing incoming email. POP3 protocol commands are listed in the table below.
| Command | Description | Example |
| USER [username] | 1st login command | USER Stan +OK Please enter a password |
| PASS [password] | 2nd login command | PASS SeCrEt +OK valid logon |
| QUIT | Logs out and saves any changes | QUIT +OK Bye-bye. |
| STAT | Returns total number of messages and total size | STAT +OK 2 320 |
| LIST | Lists all messages: Returns indexed list of messages, along with size | LIST +OK 2 messages (320 octets) 1 120 2 200 … LIST 2 +OK 2 200 |
| RETR [message index] | Retrieves the whole message | RETR 1 +OK 120 octets follow. *** |
| DELE [message index] | Deletes the specified message | DELE 2 +OK message deleted |
| TOP [message index] [num lines to return] | Returns the headers and top X lines of a message by message index (from LIST). Can be used to display the 1st few lines of a message. Headers are always returned. | TOP 2 1 +OK < MIME-Version: 1.0X-Mailer: MailBee.NET 6.5.2.236To: [email protected]: …., etc.>*** |
| UIDL [message index] | Returns a unique ID for a message index (from LIST). This ID is used by POP3 clients to identify previously downloaded messages. A client would connect, pull a LIST of messages, then pull a UIDL for each message index listed. If the UIDL had been downloaded prior, message can be skipped. If UIDL has not yet been downloaded, use the RETR command to download this new message. | UIDL 1
+OK 1 6866N |
| NOOP | The POP3 server does nothing, it merely replies with a positive response. | NOOP +OK |
| RSET | Undelete the message if any marked for deletion | RSET +OK maildrop has 2 messages (320 octets) |
IMAP Commands
| Command | Description |
|---|---|
1 LOGIN username password |
User’s login. |
1 LIST "" * |
Lists all directories. |
1 CREATE "INBOX" |
Creates a mailbox with a specified name. |
1 DELETE "INBOX" |
Deletes a mailbox. |
1 RENAME "ToRead" "Important" |
Renames a mailbox. |
1 LSUB "" * |
Returns a subset of names from the set of names that the User has declared as being active or subscribed. |
1 SELECT INBOX |
Selects a mailbox so that messages in the mailbox can be accessed. |
1 UNSELECT INBOX |
Exits the selected mailbox. |
1 FETCH <ID> all |
Retrieves data associated with a message in the mailbox. |
1 CLOSE |
Removes all messages with the Deleted flag set. |
1 LOGOUT |
Closes the connection with the IMAP server. |
Login
A1 LOGIN username password
Values can be quoted to enclose spaces and special characters. A ” must then be escape with a \
A1 LOGIN “username” “pass word”
List Folders/Mailboxes
A1 LIST “” *
A1 LIST INBOX *
A1 LIST “Archive” *
Create new Folder/Mailbox
A1 CREATE INBOX.Archive.2012
A1 CREATE “To Read”
Delete Folder/Mailbox
A1 DELETE INBOX.Archive.2012
A1 DELETE “To Read”
Rename Folder/Mailbox
A1 RENAME “INBOX.One” “INBOX.Two”
List Subscribed Mailboxes
A1 LSUB “” *
Status of Mailbox
There are more flags than the ones listed
A1 STATUS INBOX (MESSAGES UNSEEN RECENT)
Select a mailbox
A1 SELECT INBOX
List messages
A1 FETCH 1:* (FLAGS)
A1 UID FETCH 1:* (FLAGS)
Retrieve Message Content
A1 FETCH 2 body[text]
A1 FETCH 2 all
A1 UID FETCH 102 (UID RFC822.SIZE BODY.PEEK[])
Close Mailbox
A1 CLOSE
Logout
A1 LOGOUT
or
robo@some-server:~$ telnet localhost imap
Trying ::1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot (Ubuntu) ready.
a1 LOGIN robo yetanotherrandompasswordtofoolyou
a1 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE BINARY MOVE] Logged in
a2 LIST "" "*"
* LIST (\HasNoChildren \Sent) "." Sent
* LIST (\HasNoChildren) "." INBOX
a2 OK List completed.
a3 EXAMINE INBOX
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS ()] Read-only mailbox.
* 0 EXISTS
* 0 RECENT
* OK [UIDVALIDITY 1431224194] UIDs valid
* OK [UIDNEXT 1] Predicted next UID
* OK [NOMODSEQ] No permanent modsequences
a3 OK [READ-ONLY] Examine completed (0.000 secs).
a4 FETCH 1 BODY[]
a4 BAD Error in IMAP command FETCH: Invalid messageset