VoIP Hopper – VLAN Hopping Tool

VoIP Hopper is a GPLv3 licensed security tool, written in C, that rapidly runs a VLAN Hop into the Voice VLAN on specific Ethernet switches. VoIP Hopper does this by mimicking the behavior of an IP Phone, in both Cisco and Avaya IP Phone environments.

In Cisco IP Phone networks, it first dissects either IEEE 802.3 or Ethernet II for Cisco Discovery Protocol (CDP) packets. If CDP is enabled on the switch port and the Voice VLAN feature is enabled, it will determine the Voice VLAN ID (VVID).

This will allow the tool to create a new Ethernet interface on the PC that tags the 802.1q VLAN header in the Ethernet packet. After VoIP Hopper has created the new Ethernet device, it will send a DHCP client request.

In Avaya IP Phone environments, it sends an Option 55 parameter request list, requesting Option 176. When the DHCP server sends Option 176, it decodes the L2QVLAN reply field for the Voice VLAN ID. It then creates a new voice interface and sends a DHCP request.


VoIP Hopper was written with the specific aim of improving security in VoIP environments by validating Layer 2 protection controls. It is a VLAN test tool that can be used to validate controls in VoIP environments but also anywhere else VLANs are used (basically everywhere).

You can download VoIP Hopper here:

VoIP Hopper 0.9.7

Or read more here.

Posted in: Hacking Tools, Networking Hacking Tools

, , , ,

Latest Posts:

Socialscan - Command-Line Tool To Check For Email And Social Media Username Usage Socialscan – Command-Line Tool To Check For Email And Social Media Username Usage
socialscan is an accurate command-line tool to check For email and social media username usage on online platforms, given an email address or username,
CFRipper - CloudFormation Security Scanning & Audit Tool CFRipper – CloudFormation Security Scanning & Audit Tool
CFRipper is a Python-based Library and CLI security analyzer that functions as an AWS CloudFormation security scanning and audit tool
CredNinja - Test Credential Validity of Dumped Credentials or Hashes CredNinja – Test Credential Validity of Dumped Credentials or Hashes
CredNinja is a tool to quickly test credential validity of dumped credentials (or hashes) across an entire network or domain very efficiently.
assetfinder - Find Related Domains and Subdomains assetfinder – Find Related Domains and Subdomains
assetfinder is a Go-based tool to find related domains and subdomains that are related to a given domain from a variety of sources including Facebook and more.
Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory
Aclpwn.py is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.

6 Responses to VoIP Hopper – VLAN Hopping Tool

  1. goodpeople January 15, 2008 at 4:58 pm #

    I’ve never had the opportunity to play in a voip environment. But this sounds like a usefull tool..

  2. eM3rC February 7, 2008 at 5:30 am #

    Seems like it would be a fun thing to play with.

    Anyone know what Stefans Home said?

  3. Pantagruel February 8, 2008 at 12:45 pm #

    Stefans Home said:

    Easy entry into VoIP-lans…

    The main reasons why VoIP is usually sold, is the fact that one can use the already available ethernet structure for both voice and data transport. It is commonplace to separate your data net from the voice net by the use of VLANs (virtual lans).

    We have an Avaya based VoIP system at work, it worked quite well and the ‘holes’ where pluged

  4. eM3rC February 9, 2008 at 8:43 am #

    Thanks for the translation Pantagruel!

    It seems like VoIP would be a good system to use because of the low price and reliable service.

    Could someone confirm that this is how it works? Basically the internet is broad casted over one frequency of the LAN line while the information used for the VoIP service is transmitted over a different frequency hence allowing the information to travel over both lines without interference. (Although I am not sure why someone is required to use those filters when you install DSL).

  5. agentphunk February 14, 2008 at 5:05 am #

    eM3rC: Close but not quite. I think you’re thinking about voip providers like Vonage and perhaps Skype, which do send packets over the internet. This tool is for ‘enterprise’ VoIP, which is anything BUT cheap and packets usually don’t traverse the Internet. Companies used to run and support two infrastructures – data and voice, each with its own routing/switching gear, circuits, cabling, dedicated support teams, different vendors, etc. The two infrastructures didn’t co-mingle that much. VoIP basically does away with the traditional voice infrastructure by digitizing the audio (with a particular codec, for example G.729 or G.711) and stuffing that into routable IP packets. Essentially voice is just another application running across your network. However, its a ‘latency-sensitive’ application that doesn’t like getting delayed, AT ALL, from point A to point B. So although voice and data are ‘riding the same pipe’ you want to be smart about it and segment or differentiate the two types of traffic. Thats where the two VLANs come in: you want your PCs, printers, servers, etc in one subnet / VLAN / ‘broadcast domain’ and your telephony (pronounced tell-eph-O-ni, not telly-phony!) devices in another (no need for your phones to hear all of those damn NetBios broadcasts, right? Plus, you might have 100-200 data devices in a subnet, so that means maybe 100-200 users, which translates to maybe 100-200 phones. That adds up to 500 devices in one subnet – not good.) So you’re going to have a Data VLAN and a Voice VLAN in most enterprise networks, with different IP addressing schemes for each. You’ll also apply QoS (quality of service) settings differently for each subnet, because again you want to ensure your voice packets get priority over big clunky data packets). If you’re -really- interested I can elaborate on the process by which a phone winds up the voice vlan (the tool’s description is 100% accurate, though) but once its there it ‘Tags’ each voice packet using a mechanism called 802.1Q trunking. Each switchport is configured with a ‘native’ VLAN (the data vlan, with no trunking) and a voice vlan that can only be ‘accessed’ when the packets are ‘wrapped’ inside of an 802.1Q packet. So this isn’t about frequencies – its about a way for the IP phones to differentiate themselves from the ‘native’ data vlan, and get all of the added benefits that come with that (specifically the QoS markings that are used ‘upstream’ at the routers to prioritize voice traffic over data traffic, but there’s other benefits too.)

    So what the tool is doing is listening to the mechanism by which a phone learns what the voice VLAN is, and then allowing your PC to do the same thing. The immediate benefit would be that your packets would get that preferential treatment as they cross the corporate wide area network (super fast web surfing!) but in some environments there might be ACL’s on the data vlans that aren’t on voice, perhaps giving you access to voice-infrastructure devices like PBXs etc.)

    HOWEVER, that’s going to get you noticed fairly quickly, I think. Phones talk to other phones and PBXs, not to YouTube and Team Fortress servers. Voip traffic is fairly lightweight – and predominantly UDP not TCP. The network guys (e.g. Me!) have reserved a specific percentage of bandwidth for voice traffic and usually watch that pretty closely.

    Bottom line: looks like an interesting utility but read up on enterprise voip before you use it at work. You can’t claim ignorance on this one; if I caught you using it at my company I’d probably lobby to get you fired :-)

  6. eM3rC February 14, 2008 at 8:20 am #

    All I can say is I bow down to you sir… It now seems so much clearer yet more complicated.

    I think I’ll plead ignorant due to the fact I haven’t actually gone into working in the computer field yet.

    agentphunk’s post should be stickied or something just so other people can learn the ways of VoIP