wallhack

Multi-Hop Example

In this example, three hosts form a chain: an entry node (192.168.1.5), a DMZ host (10.0.1.10) acting as a relay, and an internal host (10.10.1.5) with no direct path to the entry node. The DMZ host connects outward to the entry node and listens inward for the next hop. Once established, traffic to 10.20.0.0/24 and 10.30.0.0/24 routes through the internal host.

The binary reached the DMZ host via initial access — a web shell, exposed service, or similar foothold. From there, it was transferred to the internal host using whatever lateral movement is available: scp, a shared mount, or a simple HTTP server on the DMZ host.

Traffic Flow:
192.168.1.5 (entry) · 10.0.1.10 (DMZ) · 10.10.1.5 (internal) · 10.20.0.0/24, 10.30.0.0/24
1
Attacker (192.168.1.5)

With no arguments, wallhack listens on the default port and negotiates the entry role automatically.

wallhack
2
DMZ Host (10.0.1.10)

Connecting to the attacker and listening for the next hop. With both --connect and --listen, the node negotiates the relay role automatically.

wallhack --connect 192.168.1.5 --listen :6565
3
Internal Host (10.10.1.5)

Connecting back to the relay. With no TUN capability, the node negotiates the exit role automatically. --name assigns a name to this peer — you'll reference it when adding routes from the entry node REPL.

wallhack --connect 10.0.1.10 --name peer1

If --name is omitted, a random name is generated — run peers in the REPL to discover it.

4
Configure Routes

Add routes for the networks reachable through the exit node.

Using the entry node REPL (also configures the OS route automatically):

wallhack> route add 10.20.0.0/24 via peer1
wallhack> route add 10.30.0.0/24 via peer1

Or directly with the system ip tool on the attacker machine:

ip route add 10.20.0.0/24 dev tun-peer1
ip route add 10.30.0.0/24 dev tun-peer1