Re: [SCRIPT] [NSE] IMAP capabilities script (and simple IMAP library)

[David Fifield <david () bamsoftware com>]

On Fri, May 01, 2009 at 01:00:38AM +0000, Brandon Enright wrote:
> Hey folks, Philip's pop3-capabilities NSE script motivated me to audit
> our campus network for mail servers offering unencrypted
> authentication.  Wanting to do the same for IMAP, I wrote a very simple
> imap.lua IMAP library and accompanying imap-capabilities script.
>
> Since IMAP requires each command issued to be issued with a unique ID I
> decided not to tackle logging in and other more complicated things in
> the IMAP library.  If someone does try to add that, the routines will
> probably have to keep some sort of state to record the ID/nonce being
> used.  I just hardcoded "a001" as the nonce for the CAPABILITIES
> command.
>
> Output looks something like this:
>
> PORT    STATE SERVICE  REASON  VERSION
> 993/tcp open  ssl/imap syn-ack Courier Imapd (released 2005)
> |_ imap-capabilities: THREAD=ORDEREDSUBJECT QUOTA AUTH=PLAIN THREAD=REFERENCES UIDPLUS ACL2=UNION SORT ACL IMAP4rev1 
> IDLE NAMESPACE CHILDREN
>
> Or for a server that enforces STARTTLS:
>
> PORT    STATE SERVICE REASON
> 143/tcp open  imap    syn-ack
> |_ imap-capabilities: LOGINDISABLED IDLE IMAP4 LITERAL+ STARTTLS NAMESPACE IMAP4rev1
>
> Comments on the script welcome.  I may enhance them to do IMAP "LOGIN"
> or "PLAIN" brute forcing at a later date.  Somebody else is welcome to
> beat me to it ;-)

It works for me with Dovecot imapd. It even worked on the imaps port
with -sV. It should probably guess an SSL connection for port 993, but
that's a separate issue that João is working on.

Sorry for taking so long to look this over. Fyodor, is this okay to
include now? The patch has been pending since May 1.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org