Port 548 (TCP) – AFP (Apple Filing Protocol)

What runs on port 548?

Port 548 is the default for AFP, the Apple Filing Protocol, Apple's native network file-sharing protocol. It served macOS file shares and Time Machine backups for years and is implemented on many NAS devices via the open-source Netatalk. Apple has since deprecated AFP in favor of SMB, but it is still enabled on older Macs and storage appliances.

Why it matters for security

AFP discloses server information before authentication — machine name, supported auth methods, and shares — handing reconnaissance to anyone who can reach the port. Like any file-sharing service it is a target for credential brute force, and a foothold grants access to shared volumes and backups. Critically, Netatalk on NAS hardware has had serious remote-code-execution vulnerabilities, making exposed AFP a high-value target.

How it's attacked

Attackers first pull pre-auth server info to map shares and auth methods, then brute-force credentials to reach the volumes. Where vulnerable Netatalk builds are running on NAS devices, they chain known RCE exploits for full device compromise. Mass scanners find internet-exposed AFP quickly, and Time Machine backups make those shares especially valuable to steal or ransom.

Hardening checklist

Migrate to SMB (port 445) since AFP is deprecated. Require strong authentication, disable guest access, and never expose port 548 to the internet — keep it on a trusted LAN or behind a VPN. On NAS devices, patch Netatalk promptly and keep macOS updated. The nmap snippet above pulls server info and tests authentication on hosts you are authorized to test.