[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-80547":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":15,"stars7d":16,"stars30d":16,"stars90d":15,"forks30d":15,"starsTrendScore":15,"compositeScore":17,"rankGlobal":10,"rankLanguage":10,"license":10,"archived":18,"fork":18,"defaultBranch":19,"hasWiki":18,"hasPages":18,"topics":20,"createdAt":10,"pushedAt":10,"updatedAt":21,"readmeContent":22,"aiSummary":23,"trendingCount":15,"starSnapshotCount":15,"syncStatus":13,"lastSyncTime":24,"discoverSource":25},80547,"Ouroboros","xpn\u002FOuroboros","xpn","A POC tool for exploring dev-tunnels","https:\u002F\u002Fspecterops.io\u002Fblog\u002F2026\u002F05\u002F06\u002Fdev-tunnels-the-accidental-c2\u002F",null,"Rust",56,2,54,0,3,1.43,false,"master",[],"2026-06-12 02:04:03","# Ouroboros\n\n![alt text](.\u002Fdocs\u002Flogo.png)\n\nA POC post-exploitation tool which allows connecting and executing commands on a dev-tunnel.\n\nBlog post at: [https:\u002F\u002Fspecterops.io\u002Fblog\u002F2026\u002F04\u002F30\u002Fdev-tunnels-the-accidental-c2\u002F](https:\u002F\u002Fspecterops.io\u002Fblog\u002F2026\u002F04\u002F30\u002Fdev-tunnels-the-accidental-c2\u002F)\n\n## What is it?\n\nMicrosoft dev-tunnels are used as part of the VSCode Remote Connect functionality, however the protocol supports a number of low-level utility functions. \n\n![demo](.\u002Fdocs\u002Fdemo.gif)\n\n## What can it be used for?\n\nAuthentication to dev-tunnels uses one of the following OAuth methods:\n\n* GitHub Account - A client ID of `01ab8ac9400c4e429b23`\n* Azure Account - A client ID of `aebc6443-996d-45c2-90f0-388ff96faa56`\n\n### GitHub Post-Exploitation\n\nIf you have compromised a GitHub account, it is possible to enumerate any dev-tunnels associated with that account by authorizing the \"Visual Studio Code\" OAuth2 application:\n\n![alt text](.\u002Fdocs\u002Fimage.png)\n\nThis application also allows Device Code registration, meaning that you can go from OAuth2 Device Code Phishing to RCE on any enrolled dev-tunnels.\n\n### Entra-ID Post-Exploitation\n\nThere are a few ways to use this for Entra ID connected tunnels. \n\nFor FOCI, you can use any Client ID which is part of FOCI and also has the `Dev Tunnels Service` resource available. The one that stands out is `872cd9fa-d31f-45e0-9eab-6e460a02d1f1` (Visual Studio - Legacy). \n\nAlternatively, the Visual Studio Code `aebc6443-996d-45c2-90f0-388ff96faa56` Client ID is used by VSCode to connect users.\n\n# Usage\n\nTo build:\n\n```\ncd ouroboros\ncargo build\n```\n\n# Usage\n\nFirst you'll need to list out any existing tunnels. You can do this with:\n\n```\n.\u002Fouroboros management --token [GITHUB\u002FAZURE TOKEN]\n```\n\nThe list of tunnels returned will look like this:\n\n```\nTunnel List:\nName: sneaky-fog-s5llk1t\n        Labels: [\"prometheus\", \"protocolv4\", \"vscode-server-launcher\", \"_flag3\"]\n        Created: \"2025-11-03T11:20:51.376614Z\"\n\nName: interesting-horse-lztwqbj\n        Labels: [\"serenitylocal\", \"protocolv4\", \"vscode-server-launcher\", \"_flag8\"]\n        Created: \"2026-04-13T11:54:57.1330336Z\"\n```\n\nYou can then spawn a virtual shell with:\n\n```\n.\u002Fouroboros --name interesting-horse-lztwqbj --token [GITHUB\u002FAZURE TOKEN]\n```\n\nSeveral commands are supported:\n\n```\n>> help\nAvailable commands:\n  help\n  gethostname\n  get_env\n  sys_kill \u003Cpid>\n  fs_stat \u003Cpath>\n  fs_read \u003Cpath>\n  fs_write \u003Cpath> \u003Cdata>\n  fs_rm \u003Cpath>\n  fs_mkdirp \u003Cpath>\n  fs_readdir \u003Cpath>\n  fs_rename \u003Cfrom_path> \u003Cto_path>\n  spawn \u003Ccommand> [args...]\n```\n\n# Patching russh\n\n(Not needed as russh is already patched in this repo)...\n\nBecause dev-tunnels uses a weird protocol deviation (clients use the forwarded-tcpip channel which is usually for servers), a patch is required to `russh` which lives in `russh.patch`.\n\nThis can be applied with:\n\n```\ncd russh\ngit apply ..\u002Fpatch\u002Frussh.patch\n```\n\n","Ouroboros 是一个用于探索和利用开发隧道（dev-tunnels）的后渗透测试工具。它允许用户通过连接到开发隧道并执行命令，以实现远程代码执行。该工具使用 Rust 语言编写，支持通过 GitHub 或 Azure 账户进行身份验证，并能够枚举与被攻陷账户关联的所有开发隧道。Ouroboros 提供了多种低级实用功能，如文件系统操作、进程管理等。适用于安全研究人员评估基于 VSCode 远程连接功能的开发隧道安全性，以及在红队演练中模拟攻击场景。","2026-06-11 04:01:10","CREATED_QUERY"]