A Python reconnaissance tool designed to discover Azure services and attribute tenant ownership information based on their responses.
- Authors:
- Karl Fosaaen (@kfosaaen - On most platforms), NetSPI
- Thomas Elling (@thomaselling1), NetSPI
- License: BSD 3-Clause
This tool helps security researchers, penetration testers, and Azure administrators discover Azure resources associated with specific tenant IDs.
Tests resource names against 6 different Azure services and their subdomains:
- Azure App Services (
.azurewebsites.netand.scm.azurewebsites.net) - Azure DevOps (
dev.azure.com) - Azure Key Vault (
.vault.azure.net) - Azure Storage Accounts (
.blob.core.windows.net) - SharePoint Online (
.sharepoint.com) - Azure Databricks (
.azuredatabricks.net)
- Concurrent Processing: Multi-threaded scanning for faster results
- Batch Processing: Processes resources in configurable batches to prevent memory issues
- DNS Validation: Confirms DNS records before making HTTP requests
- Permutation Generation: Automatically generates variations of resource names
- Database Storage: SQLite database for persistent results
- Multiple Export Formats: CSV, JSON, and HTML exports
- Verbose Logging: Detailed debug information for troubleshooting
- Python 3.7 or higher
- Internet connection
- Required Python packages (see Installation below)
-
Clone or download the tool:
git clone https://github.com/NetSPI/ATEAM.git cd ATEAM -
Install required dependencies:
pip install -r requirements.txt
Or install manually:
pip install requests dnspython urllib3
-
Verify installation:
python ateam.py --help
Scan a single resource:
python ateam.py -r "myapp"Scan multiple resources:
python ateam.py -r "app1" "app2" "app3"Scan from a text file resource list:
python ateam.py -f resources.txtVerbose output with (20) workers:
python ateam.py -f resources.txt -v -w 20Generate permutations and scan:
python ateam.py -f resources.txt -pGenerate permutations with smaller batch size (recommended for large scans):
python ateam.py -f resources.txt -p -b 100Export results to HTML:
python ateam.py -e htmlClear database and start fresh:
python ateam.py -f resources.txt --clear| Option | Description | Example |
|---|---|---|
-f, --file |
File containing resources (one per line) | -f resources.txt |
-r, --resources |
Space-separated list of resources | -r "app1" "app2" |
-w, --workers |
Number of concurrent workers (default: 10) | -w 20 |
-b, --batch-size |
Resources per batch (default: 1000) | -b 100 |
-v, --verbose |
Enable verbose logging | -v |
-l, --list |
List all database entries | -l |
-e, --export |
Export results (csv, json, html) | -e html |
--clear |
Clear database before scanning | --clear |
-t, --tenant |
Filter results by tenant ID | -t "tenant-id" |
-p, --permutations |
Generate resource name permutations | -p |
ATEAM/
βββ ateam.py # Main script
βββ requirements.txt # Python dependencies
βββ permutations.txt # Resource name permutations
βββ README.md # This file
The permutations.txt file contains common prefixes and suffixes to generate variations of resource names:
dev
prod
test
staging
api
web
...
This will generate combinations like:
devmyappmyappdevprodmyappmyapp-prod- etc.
Results are stored in azure_tenants.db (SQLite) with the following schema:
resource_uri: The discovered resource URLresource_type: Type of Azure servicetenant_id: Extracted tenant IDdiscovered_at: Timestamp of discovery
2025-06-27 14:37:39 - INFO - Found Storage Account tenant ID 72f988bf-86f1-41af-91ab-2d7cd011db47 for mars
2025-06-27 14:37:40 - INFO - Found App Service SCM tenant ID 'common' for notarealapplication
2025-06-27 14:37:47 - INFO - Found Key Vault tenant ID 72f988bf-86f1-41af-91ab-2d7cd011db47 for mdo
Resource URI Type Tenant ID Discovered At
-----------------------------------------------------------------------------------------------------------------
hanover.scm.azurewebsites.net AppServices-SCM 72f988bf-86f1-41af-91ab-2d7cd011db47 2025-06-27 21:37:41
dev.azure.com/microsoft DevOps 72f988bf-86f1-41af-91ab-2d7cd011db47 2025-06-27 21:37:12
mdo.vault.azure.net KeyVault 72f988bf-86f1-41af-91ab-2d7cd011db47 2025-06-27 21:37:47
mars.blob.core.windows.net StorageAccount 72f988bf-86f1-41af-91ab-2d7cd011db47 2025-06-27 21:37:46
- DNS Validation: Checks if DNS records exist for the resource
- Service Probing: Makes HTTP requests to the applicable Azure service endpoints
- Response Analysis: Depending on the resource, extracts tenant IDs from:
- WWW-Authenticate headers
- OAuth redirect URLs
- Response headers
- Error messages
- Data Storage: Saves results to SQLite database
- Export: Generates reports in various formats
- Rate Limiting: The tool includes delays and respects service limits
- Error Handling: Graceful handling of timeouts and errors
- Logging: Detailed logs for audit trails
- Non-Intrusive: Uses standard HTTP requests without authentication to do anonymous enumeration
You can enable verbose logging for detailed information, but it can be a bit much:
python ateam.py -f resources.txt -vIf you experience "killed" messages when using permutations, try reducing the batch size:
python ateam.py -f resources.txt -p -b 100 -w 5This processes resources in smaller batches with fewer concurrent workers to prevent memory exhaustion.
Contributions are welcome! Please feel free to submit:
- Bug reports
- Feature requests
- Code improvements
- Documentation updates