VoIP Hopper^1.0

VoIP Hopper is a GPLv3 licensed security tool, written in C, that rapidly runs a VLAN Hop into the Voice VLAN on specific Ethernet switches. VoIP Hopper does this by mimicking the behavior of an IP Phone, in Cisco, Avaya, and Nortel environments. VoIP Hopper is a VLAN Hop test tool but also a tool to test VoIP infrastructure security.

In Cisco IP Phone networks, it first dissects either IEEE 802.3 or Ethernet II for Cisco Discovery Protocol (CDP) packets. If CDP is enabled on the switch port and the Voice VLAN feature is enabled, it will determine the Voice VLAN ID (VVID). This will allow the tool to create a new Ethernet interface on the PC that tags the 802.1q VLAN header in the Ethernet packet. After VoIP Hopper has created the new Ethernet device, it will send a DHCP client request. It can also generate CDP messages just as an IP Phone based on CDP would do. It will send two CDP packets, requesting the Voice VLAN ID. After creating the new interface, it will then iterate between sleeping for 60 seconds, and sending a CDP packet.

In Avaya IP Phone environments, it sends an Option 55 parameter request list, requesting Option 176. When the DHCP server sends Option 176, it decodes the L2QVLAN reply field for the Voice VLAN ID. It then creates a new voice interface and sends a DHCP request.

In Nortel IP Phone networks, VoIP Hopper sends an Option 55 parameter request list, requesting Option 191. When the DHCP Server sends Option 191 data, it decodes the VLAN-A: string for the Voice VLAN ID. It then creates a new voice interface and sends a DHCP request.

VoIP Hopper was written with the specific aim of improving security in VoIP environments by validating Layer 2 protection controls. It is a VLAN test tool that can be used to validate controls in VoIP environments but also anywhere else VLANs are used (basically everywhere).

VoIP Hopper can be used to spoof CDP (as an IP Phone) and automatically create a new ethernet device based on the discovered VVID. It can be used to (VLAN Hop) add an arbitrary VLAN interface without spoofing CDP, automatically discover the Voice VLAN ID in Avaya or Nortel IP Phone networks, as well as spoof the MAC address of an IP Phone. See the images link for screen shots of VoIP Hopper in action.

libpcap

c compiler

Linux

VoIP Hopper is designed to run on BackTrack, although the development platform was Ubuntu 9.04. It should compile and run on other versions of UNIX / Linux. It has been tested to dissect CDP packets on the following Cisco IOS Ethernet Switch platforms:

1. Catalyst 3550
2. Catalyst 3560
3. Catalyst 3750
4. Catalyst 6513 with WS-X6148A-GE-45AF module

Arjun Sambamoorthy
Jamal Pecou
FX (Author of IRPAS Suite)
Ben Greear and his 802.1q VLAN Implementation for Linux
Nitesh Dhanjani and Justin Clarke
Remote-Exploit.org developers of BackTrack
John Kindervag & Joel Hart
Alvaro Lopez Ortega (GNU MAC Changer author)
Yoichi Hariguchi, Sergei Viznyuk (dhcpcd authors)
All contributors to Libpcap