VoIP Hopper

"VoIP Hopper is the answer to all voip solution providers who make people believe that VLANS is all you need to secure VoIP" - Sachin Joglekar, Sipera VIPER Lab

What’s new?

2/18/08:  Version 0.9.9 has been released.

New Features 
* CDP Generator!  VoIP Hopper can generate CDP packets in order to discover the Voice VLAN ID, as any IP Phone based on CDP would do.  In this CDP spoof mode, VoIP Hopper will send two CDP packets in order to decipher the VVID, then it will iterate between sleeping for 60 seconds, and sending another packet.  Not only is this faster than CDP sniffing, but it can also help bypass any mechanisms that rely on CDP for permitting access to the Voice VLAN.
* Voice VLAN Interface Delete:  VoIP Hopper can delete the created Voice Interface
* MAC Address Spoof, then exit:  VoIP Hopper can change the MAC Address of an interface offline and exit, without VLAN Hopping.

Important Bug Fix:
VoIP Hopper now correctly decodes 2 bytes for the Voice VLAN ID in CDP Packets instead of only 1 byte.  This corrects large VVID values (such as 415, etc) from being incorrectly decoded.

Old  Features

* Avaya IP Phone Voice VLAN Discovery
* MAC Address Spoofing

Planned New Features or Issues:
* Re-write DHCP code to allow support for more vendor VLAN Discovery
* New Avaya DHCP code
* Alcatel and/or Nortel Device Discovery and/or Cisco enumeration of TFTP data


What is VoIP Hopper?

VoIP Hopper is a GPLv3 licensed security tool, written in C, that rapidly runs a VLAN Hop into the Voice VLAN on specific Ethernet switches.  VoIP Hopper does this by mimicking the behavior of an IP Phone, in both Cisco and Avaya IP Phone environments.  VoIP Hopper is a VLAN Hop test tool but also a tool to test VoIP infrastructure security. 

In Cisco IP Phone networks, it first dissects either IEEE 802.3 or Ethernet II for Cisco Discovery Protocol (CDP) packets.  If CDP is enabled on the switch port and the Voice VLAN feature is enabled, it will determine the Voice VLAN ID (VVID).  This will allow the tool to create a new Ethernet interface on the PC that tags the 802.1q VLAN header in the Ethernet packet.  After VoIP Hopper has created the new Ethernet device, it will send a DHCP client request.  It can also generate CDP messages just as an IP Phone based on CDP would do.  It will send two CDP packets, requesting the Voice VLAN ID.  After creating the new interface, it will then iterate between sleeping for 60 seconds, and sending a CDP packet.

In Avaya IP Phone environments, it sends an Option 55 parameter request list, requesting Option 176.  When the DHCP server sends Option 176, it decodes the L2QVLAN reply field for the Voice VLAN ID.  It then creates a new voice interface and sends a DHCP request.

Why?

VoIP Hopper was written with the specific aim of improving security in VoIP environments by validating Layer 2 protection controls.  It is a VLAN test tool that can be used to validate controls in VoIP environments but also anywhere else VLANs are used (basically everywhere).

Usage

VoIP Hopper can be used to spoof CDP (as an IP Phone) and automatically create a new ethernet device based on the discovered VVID. It can be used to (VLAN Hop) add an arbitrary VLAN interface without spoofing CDP, automatically discover the Voice VLAN ID in Avaya IP Phone networks, as well as spoof the MAC address of an IP Phone. The following screen shot shows VoIP Hopper in action.

VoIP Hopper in Action


Requirements

libpcap, linux, C Compiler.

VoIP Hopper is designed for, and has been tested on, BackTrack linux.  It runs just fine in a default installation of BackTrack. It has also been tested to compile and run on Fedora 9.  It should compile and run on other versions of UNIX / Linux.

It has been tested to dissect CDP packets on the following Cisco IOS Ethernet Switch platforms:

1.      Catalyst 3550

2.    Catalyst 3560

3.      Catalyst 3750

4.      Catalyst 6513 with WS-X6148A-GE-45AF module

Where can I get it?

You can download VoIP Hopper from the Project downloads page

Credits



Credits

Jamal Pecou

FX (Author of IRPAS Suite)

Ben Greear and his 802.1q VLAN Implementation for Linux

Nitesh Dhanjani and Justin Clarke

Remote-Exploit.org developers of BackTrack

John Kindervag & Joel Hart

Alvaro Lopez Ortega (GNU MAC Changer author)

Yoichi Hariguchi, Sergei Viznyuk (dhcpcd authors)

All contributors to Libpcap 

Feedback

Don't flame me to tell me that the design or implementation of the C code is ugly (I already know the code isn't as pretty as Jessica Biel). I don't get paid to code VoIP Hopper and can only do it in my spare time. If you have constructive feedback about useful features, implementation suggestions, or any insight or feedback on how VoIP Hopper helped you, I would like to hear from you.

Author

Jason Ostrom, jpo@pobox.com

SourceForge.net Logo

::: Made with CoffeeCup : Web Design Software & Website Hosting :::