> For the complete documentation index, see [llms.txt](https://mvc1009.gitbook.io/hackingnotes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://mvc1009.gitbook.io/hackingnotes/services/service-imap.md).

# PORT 143,993/tcp - IMAP

## Internet Message Access Protocol (IMAP)

In computing, the **Internet Message Access Protocol** (**IMAP**) is an Internet standard protocol used by email clients to retrieve email messages from a mail server over a TCP/IP connection. IMAP is defined by [RFC 3501](https://tools.ietf.org/html/rfc3501).

By default, the IMAP protocol works on two ports:

* **Port 143** - this is the default IMAP non-encrypted port
* **Port 993** - this is the port you need to use if you want to connect using IMAP securely

### Connection to IMAP server

We can established our connection to both ports, non-encrypted or encypted.

```
# Non-encrypted connection
telnet imap.server.local 143

# Encrypted connection
openssl s_client -crlf -connect imap.server.local:993
```

### Login

To take a look to victims mailboxes, we obviously need their creds.

```
A1 LOGIN user@server.local password
tag LOGIN user@server.local password
```

{% hint style="warning" %}
**Note**: Sometimes the user does **not** **contains** the **domain.**
{% endhint %}

### List Mailboxes

To list mailboxes run the following command.

```
A1 LIST "" *
tag LIST "" * 
```

### Select a Mailbox

After getting the existant mailboxes we need to choose one.

```
A1 SELECT "[INBOX]"
tag SELECT "[INBOX]"
```

### Mailbox status

With status command, we can see the total of non-read messages, sent messages and more over.

```
A1 STATUS "[INBOX]" (MESSAGES)
tag STATUS "[INBOX]" (MESSAGES)
```

### Fetch headers of all messages

Fetch command gives us the ability to read the messages.

```
A1 FETCH 1:* (BODY[HEADER])
tag FETCH 1:* (BODY[HEADER])
```

### Fetch message body

To see the body of the message we need to set up the flag **BODY** as argument.

```
#Non-multipart messages
A1 FETCH [Message] (BODY)
tag FETCH [Message] (BODY)

#Multipart messages (Normaly plain text -> n=1)
A1 FETCH [Message] (BODY[n])
tag FETCH [Message] (BODY[n])
```

### Logout

Finally, when we finish out job we need to logout to close the connection.

```
A1 LOGOUT
tag LOGOUT
```

### References:

* <https://tewarid.github.io/2011/05/10/access-imap-server-from-the-command-line-using-openssl.html>
* <https://book.hacktricks.xyz/pentesting/pentesting-imap>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://mvc1009.gitbook.io/hackingnotes/services/service-imap.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.