New Features and Bug Fixes
There are several new features for this release of VoIP Hopper:
- Avaya DHCP client Option 242 automatic Voice VLAN discovery, for newer Avaya IP Phone infrastructures.
- New Alcatel-Lucent mode support: Can automatically discover the Alcatel infrastructure Voice VLAN ID via spoofing DHCP client Option 43, and sending an Alcatel compliant DHCP request.
- New Alcatel-Lucent mode support: Can automatically discover the Alcatel infrastructure Voice VLAN ID via spoofing an Alcatel compliant LLDP-MED packet, and sending an Alcatel compliant DHCP request.
- New Alcatel-Lucent mode support: User can specify a VLAN ID to hop into, and the code will send a spoofed Alcatel compliant DHCP request.
- With Alcatel modes, user can supply a spoofed MAC address to spoof DHCP Option 12 and 61
- Improved LLDP-MED spoofing support for user supplied MAC address in TLVs (Cisco, Alcatel)
Complete Feature List
- Assessment Mode: An interactive mode with several sub-features.
Great for pentesting. See the 'Details' link for a more complete
description of assessment mode.
- New VLAN Discovery Protocol method: LLDP-MED (spoofing, sniffing).
- New VLAN Discovery Protocol method: 802.1q. The tool now has an 802.1q frame libpcap sniffer.
passive ARP sniffer (for discovery of IP Phones in Voice VLAN subnet)
records all learned IP Phones into a text file, voip-hosts.txt, via
analysis of broadcast ARP traffic.
- ARP sniffer can record
all devices on the default interface to a file, hosts.txt, via analysis
of broadcast ARP traffic. Great for passive discovery during a pentest,
and obviates the need to do more intrusive ARP scanning.
VLAN Hop and sniff even when DHCP is disabled (assessment mode). Can
'become' an IP Phone by setting a static IP address and spoofing the MAC
address from a list of previously discovered phones.
- Automatically VLAN hops via first discovered VLAN ID (CDP, LLDP, 802.1q) when running in assessment mode.
- Several enhancements to integrated DHCP client code
- Can automatically discover the VLAN ID and VLAN Hop (add a VoIP Interface, send a "tagged" dhcp request)
- VLAN protocol discovery methods: CDP, Avaya DHCP, Nortel DHCP, LLDP-MED (Cisco), 802.1q
- Assessment mode: Interactive, menu driven command interface (-z)
- Assessment mode: Manually spoof CDP or LLDP-MED, or automatically VLAN Hop based on first discovered VVID
- Assessment mode: DHCP client automatically times out if DHCP is disabled, and still adds the VoIP interface and ARP sniffer
- Assessment mode: Can set a static IP address and spoof the MAC address of a previously discovered IP Phone, from a menu list ('s' option)
- Assessment mode: Analyze and record any discovered hosts (IP and MAC) on default interface to hosts.txt file
- Assessment mode: Automatically adds an ARP sniffer to VoIP VLAN interface after VLAN Hop, and records any discovered IP Phones (IP and MAC) to a file, voip-hosts.txt
- Can VLAN Hop without discovery, by the Administrator specifying a VLAN ID to attempt to "Hop" into (-v)
- VoIP DHCP client: A fully integrated DHCP client. VoIP Hopper implements DHCP messaging as function calls instead of relying on the old 'dhcpcd' client. This opens up the door for future VLAN Discovery mechanisms for other vendors, such as Alcatel.
- CDP Modes: Can spoof a Cisco IP Phone and automatically VLAN Hop, using three methods. 1) CDP sniffing, 2) Spoofing a CDP packet specified by user input, 3) Spoofing a pre-constructed IP Phone packet of a Cisco 7971G-GE (fastest method)
- Avaya IP Phone VLAN discovery: Can spoof the DHCP client Option 176 used by an Avaya IP Phone in order to automatically discover the VVID, and VLAN Hop.
- Nortel IP Phone VLAN discovery: Can spoof the DHCP client Option 191 used by a Nortel IP Phone in order to automatically discover the VVID, and VLAN Hop.
- LLDP-MED support: Support for sniffing or spoofing LLDP-MED capabilities used by an IP Phone, in order to enumerate the Voice VLAN ID.
- 802.1q VLAN Discovery: By default, most ethernet switch ports that terminate IP Phones are enabled for 802.1q trunking, and permit access for at least two VLANs. The broadcast ethernet frames of IP Phones (ARP) will be sent, tagged, to all members (switch ports) of the broadcast domain (all IP Phones on the VoIP VLAN). By running a simple sniffer, you can capture the VVID. VoIP Hopper automates this method of VVID discovery.
- Error correction with VLAN Interfaces: Implemented a feature that checks to see if the IP address is already configured for the voice interface before attempting to add the new virtual interface, and tag the DHCP request.
- 802.1x Anonymous Voice VLAN Bypass: VoIP Hopper can generate CDP packets in order to discover the Voice VLAN ID, as any IP Phone based on CDP would do. In this CDP spoof mode, VoIP Hopper will send two CDP packets in order to decipher the VVID, then it will iterate between sleeping for 60 seconds, and sending another packet. Not only is this faster than CDP sniffing, but it can also help bypass any mechanisms that rely on CDP for permitting access to the Voice VLAN.
- Voice VLAN Interface Delete: VoIP Hopper can delete the created Voice interface (-d).
- MAC Address Spoof, then exit: VoIP Hopper can change the MAC Address of an interface offline and exit, without VLAN Hopping.
- MAC Address spoof and automatic VLAN Hop, supporting multiple discovery methods
- MAC Address spoof, only on new VoIP Interface (keep default interface the same MAC Address) (-D)
- Enhance LLDP-MED spoofing: Spoof a 12 character Device ID of an IP Phone, via command line, specified by user
- Port to Mac OS X
- Assessment mode scan of DHCP VVID Discovery (Nortel, Avaya)