This article by xpnsec delves into the intricate architecture of Visual Studio Code Dev Tunnels, exploring their utility for Red Team assessments. Assisted by an LLM named "Bishop," the author meticulously dissects the multi-layered protocol. The research begins by detailing the REST management layer for tunnel discovery and access token generation, leveraging GitHub or Azure OAuth2. It then progresses to the WebSocket layer, which establishes a secure tunnel, followed by a discussion of the non-standard SSH connection that utilizes a modified russh crate for authentication and client-initiated port forwarding. The final layer involves MsgPack RPC, through which commands like spawn_cli , fs_read , and sys_kill can be executed remotely. The core outcome of this research is Ouroboros , a Rust-based tool designed to interact with these dev tunnels, enabling actions such as listing existing tunnels and executing remote commands.…