tags: Enumerazione_Esterna_IMAP Enumerazione_Esterna_POP3
Nmap
Tramite Nmap possiamo vedere se i server sono attivi o meno e inoltre un sacco di unformazioni utili sull’azienda, sulla validità e sulla locazione.
sudo nmap -sCV -p110,143,993,995 10.129.73.40
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-16 10:50 CET
Nmap scan report for 10.129.73.40
Host is up (0.12s latency).
PORT STATE SERVICE VERSION
110/tcp open pop3 Dovecot pop3d
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dev.inlanefreight.htb/organizationName=InlaneFreight Ltd/stateOrProvinceName=London/countryName=UK
| Not valid before: 2021-11-08T23:10:05
|_Not valid after: 2295-08-23T23:10:05
|_pop3-capabilities: CAPA SASL STLS PIPELINING UIDL AUTH-RESP-CODE TOP RESP-CODES
143/tcp open imap Dovecot imapd
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dev.inlanefreight.htb/organizationName=InlaneFreight Ltd/stateOrProvinceName=London/countryName=UK
| Not valid before: 2021-11-08T23:10:05
|_Not valid after: 2295-08-23T23:10:05
|_imap-capabilities: IDLE LOGINDISABLEDA0001 Pre-login listed IMAP4rev1 ID LOGIN-REFERRALS have capabilities OK more LITERAL+ SASL-IR post-login ENABLE STARTTLS
993/tcp open ssl/imap Dovecot imapd
|_imap-capabilities: IDLE AUTH=PLAINA0001 listed IMAP4rev1 ID Pre-login have ENABLE capabilities more LITERAL+ OK post-login LOGIN-REFERRALS SASL-IR
| ssl-cert: Subject: commonName=dev.inlanefreight.htb/organizationName=InlaneFreight Ltd/stateOrProvinceName=London/countryName=UK
| Not valid before: 2021-11-08T23:10:05
|_Not valid after: 2295-08-23T23:10:05
|_ssl-date: TLS randomness does not represent time
995/tcp open ssl/pop3 Dovecot pop3d
|_pop3-capabilities: CAPA USER SASL(PLAIN) PIPELINING UIDL AUTH-RESP-CODE TOP RESP-CODES
| ssl-cert: Subject: commonName=dev.inlanefreight.htb/organizationName=InlaneFreight Ltd/stateOrProvinceName=London/countryName=UK
| Not valid before: 2021-11-08T23:10:05
|_Not valid after: 2295-08-23T23:10:05
|_ssl-date: TLS randomness does not represent time
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.15 secondsCurl
Con Curl possiamo ottenere molte informazioni sul protocollo di crittografia, la versione del server e altre informazioni interessanti:
curl -k "pop3s://10.129.73.40" --user robin:robin -v
* Trying 10.129.73.40:995...
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / RSASSA-PSS
* Server certificate:
* subject: C=UK; ST=London; L=London; O=InlaneFreight Ltd; OU=DevOps Dep�artment; CN=dev.inlanefreight.htb; emailAddress=[email protected]
* start date: Nov 8 23:10:05 2021 GMT
* expire date: Aug 23 23:10:05 2295 GMT
* issuer: C=UK; ST=London; L=London; O=InlaneFreight Ltd; OU=DevOps Dep�artment; CN=dev.inlanefreight.htb; emailAddress=[email protected]
* SSL certificate verify result: self-signed certificate (18), continuing anyway.
* Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* Connected to 10.129.73.40 (10.129.73.40) port 995
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< +OK InFreight POP3 v9.188
> CAPA
< +OK
< CAPA
< TOP
< UIDL
< RESP-CODES
< PIPELINING
< AUTH-RESP-CODE
< USER
< SASL PLAIN
< .
> AUTH PLAIN
< +
> AHJvYmluAHJvYmlu
< +OK Logged in.
> LIST
< +OK 0 messages:
* Connection #0 to host 10.129.73.40 left intactSe possiedi le credenziali è meglio, ma anche senza di esse ottieni comunque informazioni rilevanti. Puoi fare la stessa cosa con IMAP:
curl -k "imaps://10.129.73.40" -v
* Trying 10.129.73.40:993...
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / RSASSA-PSS
* Server certificate:
* subject: C=UK; ST=London; L=London; O=InlaneFreight Ltd; OU=DevOps Dep�artment; CN=dev.inlanefreight.htb; emailAddress=[email protected]
* start date: Nov 8 23:10:05 2021 GMT
* expire date: Aug 23 23:10:05 2295 GMT
* issuer: C=UK; ST=London; L=London; O=InlaneFreight Ltd; OU=DevOps Dep�artment; CN=dev.inlanefreight.htb; emailAddress=[email protected]
* SSL certificate verify result: self-signed certificate (18), continuing anyway.
* Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* Connected to 10.129.73.40 (10.129.73.40) port 993
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN] HTB{roncfbw7iszerd7shni7jr2343zhrj}
> A001 CAPABILITY
< * CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN
< A001 OK Pre-login capabilities listed, post-login capabilities have more.
> A002 LIST "" *
< A002 BAD Error in IMAP command received by server.
* shutting down connection #0
curl: (21) Quote command returned error