How Hack Into Cpanel?

[r4v37t]

I do this into my CPanel account, I just want to learn and to know how hack into CPanel.

My reason for to do this is if I have forgot username and password for login.

It's possible to hack into CPanel to get my username and password back, if in this case I have already upload C99 phpshell into my account?

*CPanel version 11

Regards,

Edited August 5, 2011 by r4v37t

[Infiltrator]

Ummm, do you own the server or is it being hosted by a company?

[digip]

Unless the version of cPanel you are using is vulnerable to injection, the best you can do is brute force it. Most implementations of cPanel these days will lock the account 15 minutes at a time or more if too many failed attempts, so automated bruteforcing becomes that much harder. But, with most cPanel sites, they tend to have a stats directory from the main site, like stats.somedomain.com, or even www.somesite.com/stats, www.somesite.com/logs, etc, and this will generally be htpasswd protected, which you could then brute force for the password(generally you should figure out the user name first, since this probably won't be something as simple as admin or root). If you get into the stats panel to view logs, then try that username and password in cPanel. Might also be an email address for the username. cPanel is pretty secure these days too. If you figure out the users email and email password tied to the account, then see if they use the same password multiple places. if you have their email access, you can also try resetting the login to send you a temp password and intercept it from their email. This is all theoretical by the way, for educational purposes only. You go an hack someones account and upload a c99 shell on their server, you do so at your own risk and is your own fault when you get arrested.

Edited August 5, 2011 by digip

[r4v37t]

Ummm, do you own the server or is it being hosted by a company?

Being hosted, just for educational purposes only.

Unless the version of cPanel you are using is vulnerable to injection, the best you can do is brute force it. Most implementations of cPanel these days will lock the account 15 minutes at a time or more if too many failed attempts, so automated bruteforcing becomes that much harder. But, with most cPanel sites, they tend to have a stats directory from the main site, like stats.somedomain.com, or even www.somesite.com/stats, www.somesite.com/logs, etc, and this will generally be htpasswd protected, which you could then brute force for the password(generally you should figure out the user name first, since this probably won't be something as simple as admin or root). If you get into the stats panel to view logs, then try that username and password in cPanel. Might also be an email address for the username. cPanel is pretty secure these days too. If you figure out the users email and email password tied to the account, then see if they use the same password multiple places. if you have their email access, you can also try resetting the login to send you a temp password and intercept it from their email. This is all theoretical by the way, for educational purposes only. You go an hack someones account and upload a c99 shell on their server, you do so at your own risk and is your own fault when you get arrested.

I'll try :)

[Sparda]

Would be much faster to reset the password than brute force or other wise use a round about method to regain access.

[digip]

Would be much faster to reset the password than brute force or other wise use a round about method to regain access.

This is true, but I get the impression the op isn't resetting his own account and is trying to break into someones site, by which he deserves whatever consequences may come with that.

[r4v37t]

From my experience for 4 times host my domain, with same version of CPanel 11 X3. The username is max 9 char of domain name (ex: somedomain.com => username is: somedomai), but I dont know how CPanel work. Emm.. is CPanel open source?

[digip]

From my experience for 4 times host my domain, with same version of CPanel 11 X3. The username is max 9 char of domain name (ex: somedomain.com => username is: somedomai), but I dont know how CPanel work. Emm.. is CPanel open source?

Not that I know of - http://www.cpanel.net/products/cpanelwhm/purchase-cpanel-products.html But the username can be anything. just some hosting companies use part fo the domain name as the username, but doesn't have to be this way.

Edited August 5, 2011 by digip

[Infiltrator]

If the OP is really the account holder, all he has to do is contact the web hosting company and ask the helpdesk to reset the password for him. That is if he really is the account holder. I have a feeling that he may not be the owner, but I could be wrong!

[r4v37t]

If the OP is really the account holder, all he has to do is contact the web hosting company and ask the helpdesk to reset the password for him. That is if he really is the account holder. I have a feeling that he may not be the owner, but I could be wrong!

So, CPanel it's more secure and don't let the password in a file. Ask the helpdesk is the best way, because in CPanel I can't found the 'Forget Password' function.

Thanks for solution.

[digip]

If the OP is really the account holder, all he has to do is contact the web hosting company and ask the helpdesk to reset the password for him. That is if he really is the account holder. I have a feeling that he may not be the owner, but I could be wrong!

Hes got about as much a chance at social engineering someone at his hosts help desk, as he does getting pregnant and giving birth to satan. "Communication, does not his strong point be" - Yoda.

I think little will come of it all...but what do I know. For as long as I've seen him on the forums, hes always seemed to be looking for the silver spoon and someone to put it in his mouth.

[r4v37t]

Hes got about as much a chance at social engineering someone at his hosts help desk, as he does getting pregnant and giving birth to satan. "Communication, does not his strong point be" - Yoda.

Nope, i didn't will do that. This is real situation on place where I have lived, many of PPL in my place just do 'Buy & Run' without know the advance configuration. So when they got errors the man where they contact before is miss communicating, they find another man to manage and fix the errors. So, without the advance configuration how can manage and fix the errors.

I think little will come of it all...but what do I know. For as long as I've seen him on the forums, hes always seemed to be looking for the silver spoon and someone to put it in his mouth.

What all I ask is just for educational purposes only, I think sometime an Administrator must learn how a cracker thinking and working.

Regards,

[Infiltrator]

Hes got about as much a chance at social engineering someone at his hosts help desk, as he does getting pregnant and giving birth to satan. "Communication, does not his strong point be" - Yoda.

I think little will come of it all...but what do I know. For as long as I've seen him on the forums, hes always seemed to be looking for the silver spoon and someone to put it in his mouth.

He's not the only one, I've seen others in the same boat too. Its funny how they all come to Hak5 forums, always asking the same questions. How I do hack this or hack that?

Not that I don't want to help but a simple search in Google always reveals the answer.

[r4v37t]

He's not the only one, I've seen others in the same boat too. Its funny how they all come to Hak5 forums, always asking the same questions. How I do hack this or hack that?

Not that I don't want to help but a simple search in Google always reveals the answer.

If I in the 'boat' that you say, I want to leave it. But now how I can left the 'boat' if I didn't learn how to leave the 'boat'? :)

*just word saying, never mind :)

[Infiltrator]

If I in the 'boat' that you say, I want to leave it. But now how I can left the 'boat' if I didn't learn how to leave the 'boat'? :)

*just word saying, never mind :)

My point was, rather than trying to hack into Cpanel, you could contact the company that is hosting Cpanel to reset the password for you. Hacking into someone else account is illegal and asking how to do something illegal its something that no one in here is willing to help out with.

[r4v37t]

My point was, rather than trying to hack into Cpanel, you could contact the company that is hosting Cpanel to reset the password for you. Hacking into someone else account is illegal and asking how to do something illegal its something that no one in here is willing to help out with.

Thanks for give me the right way out :)

Regards,

[r4v37t]

I didn't read all of it but due to most users having the same password for everything my suggestion would be to try and SQLi the website and get the password database for the site and test the login details on the cpanel

I just try this into my hosted and I will not use same password for another services.

[digip]

Just of note, there is also the easy way out. Just look up existing exploits known for cPanel. Someone else has probably done the work already.

[Infiltrator]

I just try this into my hosted and I will not use same password for another services.

As a rule of thumb, always use different user IDs and passwords for any website you visit or sign up with on the internet.

It not only protects your identity but makes things difficult for someone who manages to snatch your credentials.

Edited August 13, 2011 by Infiltrator

[mark40]

Thank you

Good post

I like your post.

Thats good....