whatisgithub

What is tunnel-vision-toolkit?

ar0x4/tunnel-vision-toolkit — explained in plain English

Analysis updated 2026-05-18

30CAudience · researcherComplexity · 5/5Setup · hard

In one sentence

A security research toolkit that shows how Microsoft's Global Secure Access zero-trust network service can be tricked with a custom client and stolen tokens.

Mindmap

mindmap
  root((Tunnel Vision Toolkit))
    What it does
      Reverse engineers GSA protocol
      Custom rogue tunnel client
      Steals auth tokens
    Tech stack
      Python
      C
      gRPC
      Protocol Buffers
    Use cases
      Security research
      Token theft demo
      Zero trust bypass study
    Audience
      Security researchers
      Pentesters

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Study how a real zero-trust network service can be fooled by a self-reported device identity.

USE CASE 2

Run a rogue client that connects to Microsoft's Global Secure Access edge from Linux or macOS.

USE CASE 3

Use included payloads to enumerate a target's Global Secure Access setup during authorized testing.

USE CASE 4

Reference the reconstructed protocol definition to understand how the tunneling service communicates.

What is it built with?

PythonCgRPCProtocol BuffersTUN interface

How does it compare?

ar0x4/tunnel-vision-toolkitcemsina/fasttextembedgygkhd/esp32-mc
Stars303030
LanguageCCC
Setup difficultyhardeasyhard
Complexity5/52/54/5
Audienceresearcherdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · hard Time to first run · 1h+

Requires building the protocol buffer definitions, valid stolen or captured tokens, and a target environment enrolled in Microsoft Global Secure Access.

No open source license is stated. The author says the project is released only for authorized security testing and research purposes.

So what is it?

Tunnel Vision Toolkit is a security research project that was presented at x33fcon 2026 and demonstrates weaknesses in Microsoft Global Secure Access (GSA), which is Microsoft's cloud-based replacement for traditional corporate VPNs. The research is intended for authorized penetration testing and academic study of how the service works internally. Microsoft's GSA is designed to sit between a company's employees and its internal resources -- servers, file shares, applications -- verifying that each connecting device meets certain security requirements before allowing access. The core finding of this research is that the device compliance checks are self-reported by the connecting software and are not independently verified by Microsoft's servers. A custom client can claim to be a compliant Windows machine while actually running on Linux or macOS. The toolkit has two main parts. The first is a standalone Python client that can connect to Microsoft's edge servers from any operating system by speaking the same internal protocol that Microsoft's own client uses. The protocol was reverse-engineered from the Windows service binaries. This client creates a private network tunnel and routes arbitrary traffic through it, giving the attacker access to the company's internal network as if they were a legitimate employee. The second part consists of payloads designed to run inside penetration testing frameworks on a compromised Windows machine that is already enrolled in GSA. These payloads can enumerate the GSA configuration and extract authentication tokens that the Windows system stores locally. Those tokens can then be moved to the attacker's own machine and used with the rogue client to open a tunnel, bypassing all device compliance controls. The window of access using a stolen token lasts roughly 75 minutes until expiry. The repository includes the reconstructed protocol definition files, build instructions, and a documented step-by-step attack flow for use in authorized testing engagements.

Copy-paste prompts

Prompt 1
Explain how Microsoft Global Secure Access is supposed to verify a device before granting network access.
Prompt 2
Walk me through how this toolkit's rogue client authenticates and creates a tunnel.
Prompt 3
What does it mean that device posture checks are self-reported rather than server-validated?
Prompt 4
Summarize the attack flow described in this README step by step.
Prompt 5
What precautions should a security team take to avoid the token theft technique this project demonstrates?

Frequently asked questions

What is tunnel-vision-toolkit?

A security research toolkit that shows how Microsoft's Global Secure Access zero-trust network service can be tricked with a custom client and stolen tokens.

What language is tunnel-vision-toolkit written in?

Mainly C. The stack also includes Python, C, gRPC.

What license does tunnel-vision-toolkit use?

No open source license is stated. The author says the project is released only for authorized security testing and research purposes.

How hard is tunnel-vision-toolkit to set up?

Setup difficulty is rated hard, with roughly 1h+ to a first successful run.

Who is tunnel-vision-toolkit for?

Mainly researcher.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.