Most of the websites have their own custom control panel/admin panel other than the server cpanel. They are simply programmed in php, html and java like languages. These admin panel can control the website completely other than the server settings. Once you have access to this then you can upload new images, edit pages and posts etc.

Admin panel requires a login that is stored in its local database. You can simply hack the database with tools like sqlmap (How to hack a database with sql injection sqlmap) or you can bruteforce it to gain access. The most annoying part in web penetration testing is finding these control panels. You can manually type in urls and search it which is very time consuming.

Here i have written a simple piece of code in python- CPSCAN. This can perform that annoying task easily. This python script bruteforce all the possible directories of a server and detects control panel by http response codes. This can detect almost 85% of websites.  There is a file named dir you can edit the file to add or remove directory if necessary .


Demo video

Download cpscan

Download from GitHub. click here .


or directly clone by the command


# git clone


Download it and open terminal in the directory and type the following command


# python -t -v

 option -v is for verbose mode. This can check every directory one by one and display the http codes, if it found one it will prompt user to continue scan or quit with the result. this wont take much time and its easy to use.Any doubts or questions? post it on the comment section below. If you like this blog give me a like on facebook and add me on google plus. Subscribe my youtube channel for video tutorials.

Susmith Krishnan

I’m a computer enthusiast basically and i love to write blogs on tech issues and cyber security. I started penetration testing at the age of 16 and i would like to explore security vulnerabilities and latest tech news and wanna share with you


pure · June 4, 2017 at 10:15 pm

thanks for sharing
correct typo on your git command :
git clone without “-”
wrong command was
# git-clone
correct one is :
# git clone https…………..


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.