EntraScout¶
The most comprehensive single-shot Microsoft 365 / Entra ID / Azure unauth recon tool.
Hand it a domain. It maps the entire Microsoft cloud footprint. Then tells you how an attacker would chain it.
Version
Current version: 0.1.8
In 30 seconds¶
Output:
π° EntraScout v0.1.8 β recon target: target.com
[ phase 1] tenant β tenant_id 8efe2cef-... Β· region NAM
[ phase 2] federation β Federated Β· ADFS at corp.sts.target.com
[ phase 29] sharepoint_recon β 5 site collections enumerable
[ phase 31] mfa_gaps β EWS basic-auth surface present Β· ROPC enabled
[ phase 35] dns_intel β SaaS inventory: 11 providers Β· 4 DKIM selectors active
[ phase 36] subdomain_takeoverβ takeover candidate: cdn.target.com β dangling .azurefd.net
[ phase 50] power_pages_odata β /_odata/contacts returns 200 anonymously
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
HIGH ADFS Relying Party catalog leaked at corp.sts.target.com (225 RPs)
HIGH ClaimsXray debug RP registered in production
HIGH Subdomain takeover candidate β cdn.target.com β dangling .azurefd.net
MEDIUM DKIM selectors reveal 4 ESP partners (Mailchimp, SendGrid, Marketo)
MEDIUM EXO basic-auth surface present (EWS, ActiveSync)
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
π Output: ./output/run_20260504_113212/
ββ executive_summary.html β 1-page PDF-ready audit deliverable
ββ report.html β full interactive report
ββ attack_paths.md β top attack chains in plain English
ββ findings.json β machine-readable
ββ raw/ β preserved evidence
What it covers¶
- 52 phases Β· 250+ checks Β· attack-chain mapping Β· web console
- Executive PDF reports Β· authenticated Graph mode
- Unauthenticated external recon + internal-mode probes
Modes¶
| Mode | Use case |
|---|---|
| CLI | Terminal-based scanning, automation, CI/CD |
| Web Console | Browser-based recon dashboard β 5 views (Console, Findings, Attack Chains, Surface, History) with live SSE streaming |