Recon Tool: AdminPBuster (Admin Panel Buster)

Reading Time: 2 Minutes

AdminPBuster (Admin Panel Buster)

AdminPBuster, developed by Chris “SaintDruG” Abou-Chabke from Black Hat Ethical Hacking is a Red Teaming Recon tool to find hidden admin panels on web applications using brute-forcing. Instead of bundling a static wordlist and bloating the tool, it fetches an updated admin panel wordlist directly from our GitHub repository. It can help Red Teams, Offensive Security Experts, and Bug Bounty Hunters who are looking to discover hidden or obscured admin panels efficiently.

• This keeps the tool lightweight and easy to maintain.
• Whenever we update the hosted wordlist, the tool automatically benefits, without needing to update the script itself.

Key Technical Goodies:

• Multithreaded scanning using curl
• Proper HTTPS and www. handling to fix SSL issues
• Real redirect following (-L curl flag) bypasses WAFs and Cloudflare protections and log only the valid 200 Responses
• No proxychains/Tor dependency (due to their unreliability for professional offensive operations)
• Optional randomized User-Agent headers (-ua) to simulate real traffic

AdminPBuster focuses on speed, reliability, and accuracy while staying very simple to operate going through 10,000+ wordlists.

The Flow Behind It

• Fetch Updated Wordlist
  Downloads the latest magic_admin_paths.txt from GitHub automatically.
• Prepare Target Domain
  Adds www. if missing, forces HTTPS, solving common SSL and cert mismatch problems.
• Build and Launch Curl Requests
  Constructs lightweight curl calls to quickly test admin paths with correct flags.
• Multithreaded Scanning
  Scans many paths at once using multiple threads to improve speed.
• Color-Coded Result Parsing
  Displays results with colors based on HTTP response codes for easy reading:
  • 200 (OK) in green
  • 301/302 (Redirects) in cyan
  • 403 (Forbidden) in yellow
  • 404 (Not Found) in red
  • Other codes in magenta
• Log Successful Admin Panels
  Admin panels found (200 OK) are automatically saved inside a folder under results/{target_domain}/found_panels.txt.

Features

• Lightweight and portable (single Python3 script)
• Automatic admin paths updates from GitHub
• Bypasses Cloudflare and WordPress redirects properly
• Realistic User-Agent randomization with -ua
• Multithreaded scanning (default 5 threads, customizable)
• SSL/TLS handling built-in (always uses HTTPS + www)
• Color-coded live scan results
• Only real 200 OK pages saved
• Fancy banners, motivational quotes, rainbow CLI styling, because we love colors!
• Over 10,000+ Wordlists Specifically Aimed for Admin Panel Search

Compatibility

This tool has been tested on Kali Linux

Installation

Clone the repository:

git clone https://github.com/blackhatethicalhacking/AdminPBuster.git

cd AdminPanelFetcher

Make the installer executable:

chmod +x installer.sh

Run the installer:

./installer.sh

What installer.sh does

• Updates APT repositories
• Installs system packages:
  • curl
  • toilet
  • lolcat
• Installs required Python3 libraries:
  • requests
  • termcolor
  • urllib3
• Makes AdminPBuster.py executable automatically

After installation, simply run:

./AdminPBuster.py -t example.com -th 10

Optionally with randomized User-Agent:

./AdminPBuster.py -t example.com -th 10 -ua

Disclaimer

This tool is provided for educational and research purposes only. The author of this project is in no way responsible for any misuse of this tool. We use it for testing under NDA agreements with clients and with their consent, strictly for penetration testing purposes. We do not encourage misuse, nor do we accept responsibility for any damage caused.

Clone the repo from here: GitHub Link