Apple Filing Protocol (AFP)
aka netatalk
Apple's file-sharing protocol on 548. Like SMB for macOS — enumerate shares and (often) browse them with guest access, looking for the same kind of credential-leaking files.
Ports
| Port | Proto | Notes |
|---|---|---|
548 | tcp | AFP |
Fingerprint
- nmap afp-serverinfo returns machine type, shares, auth methods
- Bonjour/mDNS advertises _afpovertcp._tcp
Key files
| Path | Holds | Sensitive |
|---|---|---|
exported volumes | documents, backups, configs leaking creds | sensitive |
Default / weak creds
guest (No User Authent) when enabled
Known CVEs
| CVE | Impact |
|---|---|
| CVE-2018-1160 | Netatalk out-of-bounds write → RCE |
Exploitation primitives
- afp-serverinfo / afp-showmount to list volumes
- Guest mount to browse and loot files
- Old Netatalk → CVE-2018-1160 unauthenticated RCE
Overview
AFP on 548 shares files for macOS (and Linux via Netatalk). Treat it like SMB: enumerate volumes, try guest, and loot.
Enumeration
Server info + auth methods:
nmap -p548 --script afp-serverinfo,afp-showmount <TARGET>Brute share access / list volumes:
nmap -p548 --script afp-ls,afp-brute <TARGET>Mount a volume
mount_afp afp://guest:@<TARGET>/<VolumeName> /mntHardening
Disable guest access, require strong auth, and patch Netatalk (CVE-2018-1160).