Forum Thread: Hack cPanel?

Hack cPanel?

Hi everyone. I own two domains, one registered with NameCheap and one with GoDaddy. Since I own the sites I wanted to 1. Test/learn my abilities and 2. Test the security. Does anyone know how I would go about finding the cpanel and gaining access to it? Thanks.

-Grinning Veil

11 Responses

Also both are hosted on their servers not mine. Forgot to mention that.

Sorry for replying to you late. I can't seem to find the message button on the wonder how to site. The Nethunter itself(the App) can generate msfvenom payloads, perform nmap scans, connect to a wifi pineapple via OTG, and manage your kali chroot.

There are several custom tools such as

"fuzzers" are used to find hidden admin panels and the likes. From there you can brute force the login, or social engineer it.

Thanks and sorry if I'm asking dumb questions.

That's alright! Everyone begins somewhere.

For most websites, you can find your cpanel on visiting the ports 2082 and 2083. Or sometimes, you get redirected by visiting directories which require authentication.

For eg -

Or redirect method-

You can either bruteforce the panel (the hard and time consuming way) or else try to scan the website for other vulnerabilities like sql injection, LFI, XSS, etc. and hence find the credentials for not only cpanel, but the database, the hosting server, or any other hosted service.

P.S: There's no need to be sorry bro. There's nobody who knows everything right... And we're here to help, not judge! :)

Thanks everyone for the quick replies! I found the cpanel for my namecheap domain (hosted on namecheap) with http://domain:2082 but it didn't work for the godaddy domain. /phpmyadmin or /cpanel didn't work either. Are there any other ways to try. Also if I didn't know which company is hosting it (if it were someone else's website) is there a way to find out? Lastly, you said I can scan the website. How do I do that. Thanks SO much for all of your help.

There could be a lot of solutions, to find the cpanel. Though it's rather difficult if we have zero reconnaissance about our target. First we gain info, then we decide what exploits we use. I could help better if you could share the target maybe.

Else I could suggest you other options tomorrow. I have an exam tomorrow.. I gotta study. :P

On the other hand about scanning, their are different techniques to check different vulnerabilities.

Say SQL Injection can be checked if, you have a dynamic parameter in your website's get request, add ' at the end of the value, it would show an error. For eg, in a URL,

Add ' after 1, an error would appear. Here id is a vulnerable parameter.

But, it depends on the web application, if it is hosting such content, and also the way it sanitizes the input. First, we analyse the applications it uses, then go for exploiting the application. Again we have several exploits of different things. Could be better if you could share more information about the target. You can PM me if you like.

Happy to help! :)

Check the link I posted. Basically it brute forces through a list of directories, adding onto the site.
i.e then and so on, until it runs out of options or finds a match

I have used quite a lot and it might help bro. But, it has some problems too.
1.) If you traverse the directories of a website you don't have permission to test, is illegal.

2.) It creates the log of your computer's info, and I what I mean by that is, not only ip, they even log your mac address, track location, as their is risk for their own company, while bruteforcing the directories.

3.) You only get 40 credits a day.... URL fuzzer provides you with excellent results no doubt, but you can only perform it 4 times a day, provided you don't perform any other free-to-use scans they allow, like port scanner.

Still it is a great tool. But never let yourself at risk if you are a hacker, as you can always find better solutions! :)

P.S: I am not saying it's bad. Thumbs up to you for the post. But, their can be better options available. #NoOffense

I mean you could just code your own, but if I'm out on the go it's a nice alternative to test my own websites or such.

If you are pentesting a company, then it's perfectly fine.

Share Your Thoughts

  • Hot
  • Active