Oct 032008

VoIP Hopper is a free opensource security tool for Linux/Unix that rapidly runs a VLAN Hop into the Voice VLAN on specific Ethernet switches. VoIP Hopper mimicks the behavior of an IP Phone, in both Cisco and Avaya IP Phone environments to hope into the Voice VLAN.  VoIP Hopper is both a VLAN Hop test tool and a tool to test VoIP infrastructure security.

In Cisco IP Phone networks, it first dissects either IEEE 802.3 or Ethernet II for Cisco Discovery Protocol (CDP) packets. If CDP is enabled on the switch port and the Voice VLAN feature is enabled, it will determine the Voice VLAN ID (VVID). This will allow the tool to create a new Ethernet interface on the PC that tags the 802.1q VLAN header in the Ethernet packet. After VoIP Hopper has created the new Ethernet device, it will send a DHCP client request. It can also generate CDP messages just as an IP Phone based on CDP would do.  It will send two CDP packets, requesting the Voice VLAN ID.  After creating the new interface, it will then iterate between sleeping for 60 seconds, and sending a CDP packet.

In Avaya IP Phone environments, it sends an Option 55 parameter request list, requesting Option 176.  When the DHCP server sends Option 176, it decodes the L2QVLAN reply field for the Voice VLAN ID.  It then creates a new voice interface and sends a DHCP request.

VOIP Hopper can be downloaded from here

Install Voip Hopper

Voip Hopper requires libpcap to install and run properly. Also, needs “make” utility to install and needs installing if not installed previously. Lets get started with installing the Pre-Requisites.

opensuse11:~ # yast2 -i make libpcap libpcap-devel

This should install “make” utility, libpcap and its development packages.

Now, download VoIP Hopper from here or from a terminal window as follows:

opensuse11:~ # wget http://downloads.sourceforge.net/voiphopper/voiphopper-0.9.9.tar.gz?modtime=1203371558&big_mirror=0

Unzip & Untar VoIP Hopper

opensuse11:~ # tar -zxvf voiphopper-0.9.9.tar.gz

Install VoIP Hopper

opensuse11:~ # cd voiphopper-0.9.9

opensuse11:~/voiphopper-0.9.9 # make

This should install voiphopper in the source directory from where it was built.

So, let’s have a look at some examples:

Sniff CDP & VoIP Hop

opensuse11:~ # voiphopper -i eth1 -c 0

where “eth1″ is the interface

-c = 0 – Defines sniffing

Spoof CDP & VoIP Hop in Cisco SIP environment
opensuse11:~ # voiphopper -i eth1 -c 1 -E ‘SIP00070EEA5086′ -P ‘Port 1′ -C Host -L ‘Cisco IP Phone 7940′ -S ‘P003-08-8-00′ -U 1
Spoof CDP & VoIP HOP in Cisco SCCP environment

opensuse11:~ # voiphopper -i eth1 -c 1 -E ‘SEP0070EEA5086′ -P ‘Port 1′ -C Host -L ‘Cisco IP Phone 7940′ -S ‘P00308000700′ -U 1

VLAN Hop without CDP Sniffing (if VLAN ID is known)

opensuse11:~ # voiphopper -i eth1 -v 200

Discover Voice VLAN in Avaya IP Phone environment

opensuse11:~ # voiphopper -i eth1 -a

Spoof MAC Address of an IP Phone by sniffing for CDP

opensuse11:~ # voiphopper -i eth1 -c 0 -m AA:AA:AA:AA:AA:AA

Spoof MAC Address of an IP Phone using Avaya DHCP request

opensuse11:~ # voiphopper -i eth1 -a -m AA:AA:AA:AA:AA:AA

Spoof MAC Address of an IP Phone by VLAN Hopping without CDP or DHCP

opensuse11:~ # voiphopper -i eth1 -v 200 -m AA:AA:AA:AA:AA:AA

Spoof MAC Address of IP Phone without changing the MAC Address of default ethernet interface

opensuse11:~ # voiphopper -i eth1 -v 200 -m AA:AA:AA:AA:AA:AA -D

For more information, click here to visit the project homepage.