VoIP Hopper
"VoIP Hopper is the answer to all voip solution
providers who make people believe that VLANS is all you need to secure VoIP" -
Sachin Joglekar, Sipera VIPER Lab
What’s
new?
2/18/08: Version 0.9.9
has been released.
New Features
* CDP Generator! VoIP Hopper can generate CDP packets in
order to discover the Voice VLAN ID, as any IP Phone based on CDP would
do. In this CDP spoof mode, VoIP Hopper will send two CDP packets in order
to decipher the VVID, then it will iterate between sleeping for 60 seconds, and
sending another packet. Not only is this faster than CDP sniffing, but it
can also help bypass any mechanisms that rely on CDP for permitting access to
the Voice VLAN.
* Voice VLAN Interface Delete: VoIP Hopper can delete
the created Voice Interface
* MAC Address Spoof, then exit: VoIP Hopper
can change the MAC Address of an interface offline and exit, without VLAN
Hopping.
Important Bug Fix:
VoIP Hopper now correctly decodes 2 bytes for the Voice VLAN ID in CDP
Packets instead of only 1 byte. This corrects large VVID values (such as
415, etc) from being incorrectly decoded.
Old
Features
* Avaya IP Phone Voice VLAN
Discovery
* MAC Address
Spoofing
Planned New Features or Issues:
* Re-write DHCP code to allow support for more vendor VLAN
Discovery
* New Avaya DHCP code
* Alcatel and/or Nortel Device Discovery
and/or Cisco enumeration of TFTP data
What is VoIP
Hopper?
VoIP Hopper is a GPLv3 licensed security tool, written in C, that rapidly runs a VLAN Hop
into the Voice VLAN on specific Ethernet switches. VoIP Hopper does this
by mimicking the behavior of
an IP Phone, in both Cisco and Avaya IP Phone environments. VoIP
Hopper is a VLAN Hop test tool but also a tool to test VoIP infrastructure
security.
In Cisco IP Phone networks, it first dissects either IEEE
802.3 or Ethernet II for Cisco Discovery Protocol (CDP) packets. If CDP is
enabled on the switch port and the Voice VLAN feature is enabled, it will
determine the Voice VLAN ID (VVID). This will allow the tool to create a new Ethernet interface on
the PC that tags the 802.1q VLAN header in the Ethernet packet.
After VoIP Hopper has created the new Ethernet device, it will send a DHCP client request.
It can also generate CDP messages just as an IP Phone based on CDP
would do. It will send two CDP packets, requesting the Voice VLAN ID. After
creating the new interface, it will then iterate between sleeping for 60
seconds, and sending a CDP packet.
In Avaya IP Phone environments, it sends an Option 55 parameter request list, requesting Option
176. When the DHCP server sends Option 176, it decodes the L2QVLAN reply field
for the Voice VLAN ID. It
then creates a new voice interface and sends a DHCP request.
Why?
VoIP Hopper was written with the specific aim of improving
security in VoIP environments by validating Layer 2 protection controls.
It is a VLAN test tool that can be used to validate controls in VoIP
environments but also anywhere else VLANs are used (basically
everywhere).
Usage
VoIP Hopper can be used to spoof CDP (as an IP Phone) and
automatically create a new ethernet device based on the discovered VVID. It can
be used to (VLAN Hop) add an arbitrary VLAN interface without spoofing CDP,
automatically discover the Voice VLAN ID in Avaya IP Phone networks, as well as
spoof the MAC address of an IP Phone. The following screen shot shows VoIP
Hopper in action.
Requirements
libpcap, linux, C Compiler.
VoIP Hopper is designed for, and has been tested on, BackTrack linux. It runs just fine in a default installation of BackTrack. It has also been tested to compile and run on Fedora 9. It should compile and run on other versions of UNIX / Linux.
It has been tested to dissect CDP packets on the following Cisco IOS Ethernet Switch platforms:
1. Catalyst 3550
2. Catalyst 3560
3. Catalyst 3750
4. Catalyst 6513 with WS-X6148A-GE-45AF module
Where can I get it?
You can download VoIP Hopper from the Project downloads page
Credits
Credits
Jamal Pecou
FX (Author of IRPAS Suite)
Ben Greear and his 802.1q VLAN Implementation for Linux
Nitesh Dhanjani and Justin Clarke
Remote-Exploit.org developers of BackTrack
John Kindervag & Joel Hart
Alvaro Lopez Ortega (GNU MAC Changer
author)
Yoichi
Hariguchi, Sergei Viznyuk (dhcpcd authors)
All contributors to Libpcap
Feedback
Don't flame me to tell me that the design or implementation of the C code is ugly (I already know the code isn't as pretty as Jessica Biel). I don't get paid to code VoIP Hopper and can only do it in my spare time. If you have constructive feedback about useful features, implementation suggestions, or any insight or feedback on how VoIP Hopper helped you, I would like to hear from you.
Author
Jason Ostrom, jpo@pobox.com