VoIP Hopper - VoIP VLAN Hopping Tool

VoIP Hopper is a GPLv3 licensed security tool, written in C, that rapidly runs a VLAN Hop into the Voice VLAN on specific ethernet switches. VoIP Hopper does this by mimicking the behavior of an IP Phone, in Cisco, Avaya, and Nortel environments.  This requires two important steps in order for the tool to traverse VLANs for unauthorized access.  First,  discovery of the correct 12 bit Voice VLAN ID (VVID) used by the IP Phones is required.  VoIP Hopper supports multiple protocol discovery methods (CDP, DHCP, LLDP-MED, 802.1q ARP) for this important first step.  Second, the tool creates a virtual VoIP ethernet interface on the OS. 

It then inserts a spoofed 4-byte 802.1q vlan header containing the 12 bit VVID into a spoofed DHCP request.  Once it receives an IP address in the VoIP VLAN subnet, all subsequent ethernet frames are "tagged" with the spoofed 802.1q header.  VoIP Hopper is a VLAN Hop test tool but also a tool to test VoIP infrastructure security.

In Cisco IP Phone networks, it first dissects either IEEE 802.3 or Ethernet II for Cisco Discovery Protocol (CDP) packets. If CDP is enabled on the switch port and the Voice VLAN feature is enabled, it will determine the VVID. This will allow the tool to create a new Ethernet interface on the PC that tags the 802.1q VLAN header in the Ethernet packet. After VoIP Hopper has created the new Ethernet device, it will send a DHCP client request. It can also generate CDP messages just as an IP Phone based on CDP would do. It will send two CDP packets, requesting the Voice VLAN ID. After creating the new interface, it will then iterate between sleeping for 60 seconds, and sending a CDP packet.

Features

  • Can automatically discover the VLAN ID and VLAN Hop (add a VoIP Interface, send a "tagged" dhcp request)
  • VLAN protocol discovery methods:  CDP, Avaya DHCP, Nortel DHCP, LLDP-MED (Cisco), 802.1q
  • Assessment mode:  Interactive, menu driven command interface (-z)
  • Assessment mode:  Manually spoof CDP or LLDP-MED, or automatically VLAN Hop based on first discovered VVID
  • Assessment mode:  DHCP client automatically times out if DHCP is disabled, and still adds the VoIP interface and ARP sniffer
  • Assessment mode:  Can set a static IP address and spoof the MAC address of a previously discovered IP Phone, from a menu list ('s' option)
  • Assessment mode:  Analyze and record any discovered hosts (IP and MAC) on default interface to hosts.txt file
  • Assessment mode:  Automatically adds an ARP sniffer to VoIP VLAN interface after VLAN Hop, and records any discovered IP Phones (IP and MAC) to a file, voip-hosts.txt
  • Can VLAN Hop without discovery, by the Administrator specifying a VLAN ID to attempt to "Hop" into (-v)
  • VoIP DHCP client:  A fully integrated DHCP client.  VoIP Hopper implements DHCP messaging as function calls instead of relying on the old 'dhcpcd' client.  This opens up the door for future VLAN Discovery mechanisms for other vendors, such as Alcatel.
  • CDP Modes:  Can spoof a Cisco IP Phone and automatically VLAN Hop, using three methods.  1)  CDP sniffing, 2) Spoofing a CDP packet specified by user input, 3) Spoofing a pre-constructed IP Phone packet of a Cisco 7971G-GE (fastest method)
  • Avaya IP Phone VLAN discovery:  Can spoof the DHCP client Option 176 used by an Avaya IP Phone in order to automatically discover the VVID, and VLAN Hop.
  • Nortel IP Phone VLAN discovery:  Can spoof the DHCP client Option 191 used by a Nortel IP Phone in order to automatically discover the VVID, and VLAN Hop.
  • LLDP-MED support:  Support for sniffing or spoofing LLDP-MED capabilities used by an IP Phone, in order to enumerate the Voice VLAN ID.
  • 802.1q VLAN Discovery:  By default, most ethernet switch ports that terminate IP Phones are enabled for 802.1q trunking, and permit access for at least two VLANs.  The broadcast ethernet frames of IP Phones (ARP) will be sent, tagged, to all members (switch ports) of the broadcast domain (all IP Phones on the VoIP VLAN).  By running a simple sniffer, you can capture the VVID.  VoIP Hopper automates this method of VVID discovery.
  • Error correction with VLAN Interfaces:  Implemented a feature that checks to see if the IP address is already configured for the voice interface before attempting to add the new virtual interface, and tag the DHCP request.
  • 802.1x Anonymous Voice VLAN Bypass:  VoIP Hopper can generate CDP packets in order to discover the Voice VLAN ID, as any IP Phone based on CDP would do.  In this CDP spoof mode, VoIP Hopper will send two CDP packets in order to decipher the VVID, then it will iterate between sleeping for 60 seconds, and sending another packet.  Not only is this faster than CDP sniffing, but it can also help bypass any mechanisms that rely on CDP for permitting access to the Voice VLAN.
  • Voice VLAN Interface Delete:  VoIP Hopper can delete the created Voice interface (-d).
  • MAC Address Spoof, then exit:  VoIP Hopper can change the MAC Address of an interface offline and exit, without VLAN Hopping.
  • MAC Address spoof and automatic VLAN Hop, supporting multiple discovery methods
  • MAC Address spoof, only on new VoIP Interface (keep default interface the same MAC Address) (-D)

Download



Note: If you want to learn more about Linux and Windows based Penetration testing, you might want to subscribe our RSS feed and Email Subscription  or become our Facebook fan! You will get all the latest updates at both the places.