Apple Filing Protocol Login Utility - Metasploit

This page contains detailed information about how to use the auxiliary/scanner/afp/afp_login metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Module Overview

Name: Apple Filing Protocol Login Utility
Module: auxiliary/scanner/afp/afp_login
Source code: modules/auxiliary/scanner/afp/afp_login.rb
Disclosure date: -
Last modification time: 2021-08-31 17:10:07 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): 548
List of CVEs: -

This module attempts to bruteforce authentication credentials for AFP.

Module Ranking and Traits

Module Ranking:

• normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage

This module is a scanner module, and is capable of testing against multiple hosts.

msf > use auxiliary/scanner/afp/afp_login
msf auxiliary(afp_login) > show options
    ... show and set options ...
msf auxiliary(afp_login) > set RHOSTS ip-range
msf auxiliary(afp_login) > exploit

Other examples of setting the RHOSTS option:

Example 1:

msf auxiliary(afp_login) > set RHOSTS 192.168.1.3-192.168.1.200 

Example 2:

msf auxiliary(afp_login) > set RHOSTS 192.168.1.1/24

Example 3:

msf auxiliary(afp_login) > set RHOSTS file:/tmp/ip_list.txt

Required Options

• RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'

Knowledge Base

  msf > use modules/auxiliary/scanner/afp/afp_login
  msf auxiliary(scanner/afp/afp_login) > set USERNAME tuser
  msf auxiliary(scanner/afp/afp_login) > set PASSWORD myPassword
  msf auxiliary(scanner/afp/afp_login) > set RHOST 172.17.0.2
  msf auxiliary(scanner/afp/afp_login) > run
    [*] 172.17.0.2:548 - Scanning IP: 172.17.0.2
    [*] 172.17.0.2:548 - Login Successful: tuser:myPassword

Go back to menu.

Msfconsole Usage

Here is how the scanner/afp/afp_login auxiliary module looks in the msfconsole:

msf6 > use auxiliary/scanner/afp/afp_login

msf6 auxiliary(scanner/afp/afp_login) > show info

       Name: Apple Filing Protocol Login Utility
     Module: auxiliary/scanner/afp/afp_login
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  Gregory Man <[email protected]>

Check supported:
  No

Basic options:
  Name              Current Setting  Required  Description
  ----              ---------------  --------  -----------
  BLANK_PASSWORDS   false            no        Try blank passwords for all users
  BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
  CHECK_GUEST       true             no        Check for guest login
  DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database
  DB_ALL_PASS       false            no        Add all passwords in the current database to the list
  DB_ALL_USERS      false            no        Add all users in the current database to the list
  LoginTimeOut      23               yes       Timout on login
  PASSWORD                           no        A specific password to authenticate with
  PASS_FILE                          no        File containing passwords, one per line
  Proxies                            no        A proxy chain of format type:host:port[,type:host:port][...]
  RECORD_GUEST      false            no        Record guest login to the database
  RHOSTS                             yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT             548              yes       The target port (TCP)
  STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
  THREADS           1                yes       The number of concurrent threads (max one per host)
  USERNAME                           no        A specific username to authenticate as
  USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
  USER_AS_PASS      false            no        Try the username as the password for all users
  USER_FILE                          no        File containing usernames, one per line
  VERBOSE           true             yes       Whether to print output for all attempts

Description:
  This module attempts to bruteforce authentication credentials for 
  AFP.

References:
  https://developer.apple.com/library/mac/documentation/Networking/Reference/AFP_Reference/Reference/reference.html
  https://developer.apple.com/library/mac/documentation/networking/conceptual/afp/AFPSecurity/AFPSecurity.html

Module Options

This is a complete list of options available in the scanner/afp/afp_login auxiliary module:

msf6 auxiliary(scanner/afp/afp_login) > show options

Module options (auxiliary/scanner/afp/afp_login):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   BLANK_PASSWORDS   false            no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   CHECK_GUEST       true             no        Check for guest login
   DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false            no        Add all passwords in the current database to the list
   DB_ALL_USERS      false            no        Add all users in the current database to the list
   LoginTimeOut      23               yes       Timout on login
   PASSWORD                           no        A specific password to authenticate with
   PASS_FILE                          no        File containing passwords, one per line
   Proxies                            no        A proxy chain of format type:host:port[,type:host:port][...]
   RECORD_GUEST      false            no        Record guest login to the database
   RHOSTS                             yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT             548              yes       The target port (TCP)
   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
   THREADS           1                yes       The number of concurrent threads (max one per host)
   USERNAME                           no        A specific username to authenticate as
   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false            no        Try the username as the password for all users
   USER_FILE                          no        File containing usernames, one per line
   VERBOSE           true             yes       Whether to print output for all attempts

Advanced Options

Here is a complete list of advanced options supported by the scanner/afp/afp_login auxiliary module:

msf6 auxiliary(scanner/afp/afp_login) > show advanced

Module advanced options (auxiliary/scanner/afp/afp_login):

   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   CHOST                                  no        The local client address
   CPORT                                  no        The local client port
   ConnectTimeout        10               yes       Maximum number of seconds to establish a TCP connection
   MaxGuessesPerService  0                no        Maximum number of credentials to try per service instance. If set to zero or a non-number, this option will not be used.
   MaxGuessesPerUser     0                no        Maximum guesses for a particular username for the service instance. Note that users are considered unique among different services, so a user at 10.1.1.1:22 is different from one at 10.2.2.2:
                                                    22, and both will be tried up to the MaxGuessesPerUser limit. If set to zero or a non-number, this option will not be used.
   MaxMinutesPerService  0                no        Maximum time in minutes to bruteforce the service instance. If set to zero or a non-number, this option will not be used.
   REMOVE_PASS_FILE      false            yes       Automatically delete the PASS_FILE on module completion
   REMOVE_USERPASS_FILE  false            yes       Automatically delete the USERPASS_FILE on module completion
   REMOVE_USER_FILE      false            yes       Automatically delete the USER_FILE on module completion
   SSL                   false            no        Negotiate SSL/TLS for outgoing connections
   SSLCipher                              no        String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"
   SSLVerifyMode         PEER             no        SSL verification method (Accepted: CLIENT_ONCE, FAIL_IF_NO_PEER_CERT, NONE, PEER)
   SSLVersion            Auto             yes       Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
   ShowProgress          true             yes       Display progress messages during a scan
   ShowProgressPercent   10               yes       The interval in percent that progress should be shown
   TRANSITION_DELAY      0                no        Amount of time (in minutes) to delay before transitioning to the next user in the array (or password when PASSWORD_SPRAY=true)
   WORKSPACE                              no        Specify the workspace for this module

Auxiliary Actions

This is a list of all auxiliary actions that the scanner/afp/afp_login module can do:

msf6 auxiliary(scanner/afp/afp_login) > show actions

Auxiliary actions:

   Name  Description
   ----  -----------

Evasion Options

Here is the full list of possible evasion options supported by the scanner/afp/afp_login auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 auxiliary(scanner/afp/afp_login) > show evasion

Module evasion options:

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   TCP::max_send_size  0                no        Maxiumum tcp segment size.  (0 = disable)
   TCP::send_delay     0                no        Delays inserted before every send.  (0 = disable)

Go back to menu.

Error Messages

This module may fail with the following error messages:

Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.

<IP>:<RPORT> - LOGIN FAILED: <RESULT.CREDENTIAL> (<RESULT.STATUS>: <RESULT.PROOF>)

Here is a relevant code snippet related to the "<IP>:<RPORT> - LOGIN FAILED: <RESULT.CREDENTIAL> (<RESULT.STATUS>: <RESULT.PROOF>)" error message:

80:	        create_credential_login(credential_data)
81:	
82:	        print_good "#{ip}:#{rport} - Login Successful: #{result.credential}"
83:	      else
84:	        invalidate_login(credential_data)
85:	        vprint_error "#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status}: #{result.proof})"
86:	      end
87:	    end
88:	  end
89:	
90:	

Go back to menu.

Related Pull Requests

• #12022 Merged Pull Request: Deregister PASSWORD_SPRAY option for LoginScanner modules
• #11523 Merged Pull Request: MSF5: Remove unneeded RHOST deregister in scanners
• #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
• #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
• #6655 Merged Pull Request: use MetasploitModule as a class name
• #6648 Merged Pull Request: Change metasploit class names
• #6014 Merged Pull Request: Related to #4803, Update LoginScanner modules to have into account TCP advanced options
• #5059 Merged Pull Request: Yard doc corrections
• #4737 Merged Pull Request: Preserve Context in LoginScanner socket calls, fixes #4723
• #4364 Merged Pull Request: Modules should respect bruteforce_speed again
• #4057 Merged Pull Request: Re-eneable tcp evasions in some LoginScanners
• #3999 Merged Pull Request: Fix #3995 - Make negative messages less verbose for LoginScanner modules
• #3746 Merged Pull Request: Feature/msp 11162/db all creds
• #2525 Merged Pull Request: Change module boilerplate
• #229 Merged Pull Request: afp_login module

References

• CVE: Not available
• https://developer.apple.com/library/mac/documentation/Networking/Reference/AFP_Reference/Reference/reference.html
• https://developer.apple.com/library/mac/documentation/networking/conceptual/afp/AFPSecurity/AFPSecurity.html

See Also

Check also the following modules related to this module:

• auxiliary/scanner/afp/afp_server_info
• exploit/osx/afp/loginext
• auxiliary/scanner/smb/impacket/dcomexec
• auxiliary/scanner/smb/impacket/secretsdump
• auxiliary/scanner/smb/impacket/wmiexec
• exploit/linux/local/af_packet_chocobo_root_priv_esc
• exploit/windows/fileformat/wireshark_packet_dect
• exploit/windows/misc/wireshark_packet_dect
• auxiliary/fuzzers/http/http_get_uri_strings
• auxiliary/scanner/ftp/easy_file_sharing_ftp
• auxiliary/scanner/http/springcloud_directory_traversal
• auxiliary/scanner/http/springcloud_traversal
• auxiliary/scanner/sap/sap_ctc_verb_tampering_user_mgmt
• exploit/linux/http/gpsd_format_string
• exploit/linux/misc/lprng_format_string
• exploit/multi/browser/chrome_simplifiedlowering_overflow
• exploit/multi/browser/firefox_tostring_console_injection
• exploit/unix/smtp/exim4_string_format
• exploit/windows/browser/hp_loadrunner_writefilestring
• exploit/windows/browser/ovftool_format_string
• exploit/windows/emc/networker_format_string
• exploit/windows/fileformat/acdsee_fotoslate_string
• exploit/windows/fileformat/ovf_format_string
• exploit/windows/ftp/easyfilesharing_pass
• exploit/windows/http/easyfilesharing_post
• exploit/windows/http/easyfilesharing_seh
• exploit/windows/http/file_sharing_wizard_seh
• post/linux/gather/gnome_keyring_dump
• exploit/dialup/multi/login/manyargs

Authors

• Gregory Man <man.gregory[at]gmail.com>

Version

This page has been produced using Metasploit Framework version 6.1.27-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.