Finding cPanel using ZMap

Jackbox

Active Member
Jan 2, 2016
197
96
74
If you have no idea how to use ZMap or setup, I recommend you check over here first.

Follow all your laws, use this for informational purposes only.


Start a new project folder
MKWTR=~/`date +%s` && mkdir $MKWTR && cd $MKWTR

How about we find 10,000 open 443 hosts to test our luck?
zmap -p 443 -N 10000 -o cpanel.csv && cat cpanel.csv | zgrab http --timeout 3 --endpoint="/cpanel" --retry-https -o banners.json

1806

Now we are going to have somewhat of a large banners file, we will fix that.
cat banners.json | grep ":2083" > taming.lion

So, we want to find the IP addresses of these hosts mentioning port 2083.
cat taming.lion | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" | sort -u

Yes I totally realize we could have just ZMap scanned for port 2083 in the first place to yield greater results but this is for demonstration purposes.

What the heck did we just make? Somewhat of a cPanel scanner. Now we can know just about every cPanel hosting provider in the world fairly quickly.

Keep in mind ZMap scanning like this can generate abuse reports because some server admins get scared for port checks and banner looks. It's really the equivalent of someone looking from the street into your house for a brief moment then continuing on - but oh well. Don't want anyone looking through your livingroom window? Close the fucking blinds (port closure is easy to do). Ports; data windows are an open stream channel. If you leave the windows setup for public viewing as is the case with an open-to-the-fucking-Internet port, then expect a good ZMap scan. The fact both administrators and "the bad guys" use this to take some type of inventory is clear proof this is not a malicious tool unless used maliciously. ZMap is like a gun, walking around other people with this thing holstered is no big deal. If you get ZMapped then start seeing loads of SQL injection attempts, followed by a myriad of other common attacks - okay, then bitch 'n' cry hard...... or turn the ports down.

Not happy about that? Unplug your shit if you don't want to really secure it because abuse reports are more of a reactive control along the lines of obscurity more than anything else. :whistling: "You can't always get what you want". IP blocking is cool, abuse reporting against IP addresses without actually getting harmed is pretty damn dumb..

Concluding statement: Reporting someone's IP for abuse when they ZMap you is like filing a restraining order because someone said "Hi there." with a scary-to-you smile.
 
Last edited:
Top