[SCRIPT] [NSE] IMAP capabilities script (and simple IMAP library)

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey folks, Philip's pop3-capabilities NSE script motivated me to audit
our campus network for mail servers offering unencrypted
authentication.  Wanting to do the same for IMAP, I wrote a very simple
imap.lua IMAP library and accompanying imap-capabilities script.

Since IMAP requires each command issued to be issued with a unique ID I
decided not to tackle logging in and other more complicated things in
the IMAP library.  If someone does try to add that, the routines will
probably have to keep some sort of state to record the ID/nonce being
used.  I just hardcoded "a001" as the nonce for the CAPABILITIES
command.

Output looks something like this:

PORT    STATE SERVICE  REASON  VERSION
993/tcp open  ssl/imap syn-ack Courier Imapd (released 2005)
|_ imap-capabilities: THREAD=ORDEREDSUBJECT QUOTA AUTH=PLAIN THREAD=REFERENCES UIDPLUS ACL2=UNION SORT ACL IMAP4rev1 
IDLE NAMESPACE CHILDREN

Or for a server that enforces STARTTLS:

PORT    STATE SERVICE REASON
143/tcp open  imap    syn-ack
|_ imap-capabilities: LOGINDISABLED IDLE IMAP4 LITERAL+ STARTTLS NAMESPACE IMAP4rev1


Comments on the script welcome.  I may enhance them to do IMAP "LOGIN"
or "PLAIN" brute forcing at a later date.  Somebody else is welcome to
beat me to it ;-)

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)

iEYEARECAAYFAkn6SbwACgkQqaGPzAsl94JRzwCfaGV2C1GkdwNKh/CX/54KWUPZ
DpsAoK7ZlmjjHVKYQVITGj5uG75WFSB9
=WNTy
-----END PGP SIGNATURE-----

Attachment: imap-capabilities.nse
Description:

Attachment: imap.lua
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org