ar0x4/tunnel-vision-toolkit — explained in plain English
Analysis updated 2026-05-18
Study how a real zero-trust network service can be fooled by a self-reported device identity.
Run a rogue client that connects to Microsoft's Global Secure Access edge from Linux or macOS.
Use included payloads to enumerate a target's Global Secure Access setup during authorized testing.
Reference the reconstructed protocol definition to understand how the tunneling service communicates.
| ar0x4/tunnel-vision-toolkit | cemsina/fasttextembed | gygkhd/esp32-mc | |
|---|---|---|---|
| Stars | 30 | 30 | 30 |
| Language | C | C | C |
| Setup difficulty | hard | easy | hard |
| Complexity | 5/5 | 2/5 | 4/5 |
| Audience | researcher | developer | developer |
Figures from each repo's GitHub metadata at analysis time.
Requires building the protocol buffer definitions, valid stolen or captured tokens, and a target environment enrolled in Microsoft Global Secure Access.
Tunnel Vision Toolkit is a security research project that was presented at x33fcon 2026 and demonstrates weaknesses in Microsoft Global Secure Access (GSA), which is Microsoft's cloud-based replacement for traditional corporate VPNs. The research is intended for authorized penetration testing and academic study of how the service works internally. Microsoft's GSA is designed to sit between a company's employees and its internal resources -- servers, file shares, applications -- verifying that each connecting device meets certain security requirements before allowing access. The core finding of this research is that the device compliance checks are self-reported by the connecting software and are not independently verified by Microsoft's servers. A custom client can claim to be a compliant Windows machine while actually running on Linux or macOS. The toolkit has two main parts. The first is a standalone Python client that can connect to Microsoft's edge servers from any operating system by speaking the same internal protocol that Microsoft's own client uses. The protocol was reverse-engineered from the Windows service binaries. This client creates a private network tunnel and routes arbitrary traffic through it, giving the attacker access to the company's internal network as if they were a legitimate employee. The second part consists of payloads designed to run inside penetration testing frameworks on a compromised Windows machine that is already enrolled in GSA. These payloads can enumerate the GSA configuration and extract authentication tokens that the Windows system stores locally. Those tokens can then be moved to the attacker's own machine and used with the rogue client to open a tunnel, bypassing all device compliance controls. The window of access using a stolen token lasts roughly 75 minutes until expiry. The repository includes the reconstructed protocol definition files, build instructions, and a documented step-by-step attack flow for use in authorized testing engagements.
A security research toolkit that shows how Microsoft's Global Secure Access zero-trust network service can be tricked with a custom client and stolen tokens.
Mainly C. The stack also includes Python, C, gRPC.
No open source license is stated. The author says the project is released only for authorized security testing and research purposes.
Setup difficulty is rated hard, with roughly 1h+ to a first successful run.
Mainly researcher.
This repo across BitVibe Labs
Verify against the repo before relying on details.