Apple Filing Protocol (AFP) - PORT 548

Basic info

The Apple Filing Protocol (AFP), formerly known as AppleTalk Filing Protocol, is a proprietary network protocol developed by Apple Inc. It facilitates file services for macOS and classic Mac OS environments. AFP is renowned for its support of Unicode file names, POSIX and access control list (ACL) permissions, resource forks, named extended attributes, and advanced file locking mechanisms. Historically, it served as the primary protocol for file services in Mac OS 9 and earlier versions.

Default Port: 548/tcp

PORT    STATE SERVICE
548/tcp open  afp

Enumerating AFP Services

Effective enumeration is crucial in assessing AFP services. The following tools and scripts are instrumental in this process:

Metasploit Framework

Utilize the Metasploit auxiliary scanner module to gather AFP server information:

msf> use auxiliary/scanner/afp/afp_server_info

Nmap Scripting Engine (NSE)

Nmap offers specialized scripts for AFP enumeration:

nmap -sV --script "afp-*" -p 548 <target-ip>

Key Nmap AFP scripts include:

• afp-ls: Lists available AFP volumes and files.

• afp-path-vuln: Identifies potential path vulnerabilities within AFP shares.

• afp-serverinfo: Retrieves detailed information about the AFP server.

• afp-showmount: Displays available AFP shares along with their respective ACLs.

Brute force

nmap -p 548 --script afp-brute <IP>
msf> use auxiliary/scanner/afp/afp_login
msf> set BLANK_PASSWORDS true
msf> set USER_AS_PASS true
msf> set PASS_FILE <PATH_PASSWDS>
msf> set USER_FILE <PATH_USERS>
msf> run