VoIP Hopper is a Unix/Linux based free opensource security tool that rapidly runs a VLAN Hop into the Voice VLAN on specific Ethernet switches. VoIP Hopper mimicks the behavior of an IP Phone, in both Cisco and Avaya IP Phone environments to hope into the Voice VLAN. VoIP Hopper is both a VLAN Hop test tool and a tool to test VoIP infrastructure security.
In Cisco IP Phone networks, it first dissects either IEEE 802.3 or Ethernet II for Cisco Discovery Protocol (CDP) packets. If CDP is enabled on the switch port and the Voice VLAN feature is enabled, it will determine the Voice VLAN ID (VVID). This will allow the tool to create a new Ethernet interface on the PC that tags the 802.1q VLAN header in the Ethernet packet. After VoIP Hopper has created the new Ethernet device, it will send a DHCP client request. It can also generate CDP messages just as an IP Phone based on CDP would do. It will send two CDP packets, requesting the Voice VLAN ID. After creating the new interface, it will then iterate between sleeping for 60 seconds, and sending a CDP packet.
In Avaya IP Phone environments, it sends an Option 55 parameter request list, requesting Option 176. When the DHCP server sends Option 176, it decodes the L2QVLAN reply field for the Voice VLAN ID. It then creates a new voice interface and sends a DHCP request.
VOIP Hopper can be downloaded from here
VOIP Hopper requires
libpcap – For Sniffing
GNU C Compiler & Make utility to install
Unzip & Untar VOIP Hopper
debian# tar -zxvf voiphopper-0.9.9.tar.gz
Change Directory and Install
debian# cd voiphopper-0.9.9
This installs VoIP Hopper on your Linux distribution.
Now, some of the usage examples are
Sniff CDP & VoIP Hop
debian# voiphopper -i eth1 -c 0
where "eth1" is the interface
-c = 0 – Defines sniffing
Spoof CDP & VoIP Hop in Cisco SIP environment
debian# voiphopper -i eth1 -c 1 -E 'SIP00070EEA5086' -P 'Port 1' -C Host -L 'Cisco IP Phone 7940' -S 'P003-08-8-00' -U 1
Spoof CDP & VoIP HOP in Cisco SCCP environment
debian# voiphopper -i eth1 -c 1 -E 'SEP0070EEA5086' -P 'Port 1' -C Host -L 'Cisco IP Phone 7940' -S 'P00308000700' -U 1
VLAN Hop without CDP Sniffing (if VLAN ID is known)
debian# voiphopper -i eth1 -v 200
Discover Voice VLAN in Avaya IP Phone environment
debian# voiphopper -i eth1 -a
Spoof MAC Address of an IP Phone by sniffing for CDP
debian# voiphopper -i eth1 -c 0 -m AA:AA:AA:AA:AA:AA
Spoof MAC Address of an IP Phone using Avaya DHCP request
debian# voiphopper -i eth1 -a -m AA:AA:AA:AA:AA:AA
Spoof MAC Address of an IP Phone by VLAN Hopping without CDP or DHCP
debian# voiphopper -i eth1 -v 200 -m AA:AA:AA:AA:AA:AA
Spoof MAC Address of IP Phone without changing the MAC Address of default ethernet interface
debian# voiphopper -i eth1 -v 200 -m AA:AA:AA:AA:AA:AA -D