VoIP Hopper – VLAN Hopping Tool


VoIP Hopper is a GPLv3 licensed security tool, written in C, that rapidly runs a VLAN Hop into the Voice VLAN on specific Ethernet switches. VoIP Hopper does this by mimicking the behavior of an IP Phone, in both Cisco and Avaya IP Phone environments.

In Cisco IP Phone networks, it first dissects either IEEE 802.3 or Ethernet II for Cisco Discovery Protocol (CDP) packets. If CDP is enabled on the switch port and the Voice VLAN feature is enabled, it will determine the Voice VLAN ID (VVID).

This will allow the tool to create a new Ethernet interface on the PC that tags the 802.1q VLAN header in the Ethernet packet. After VoIP Hopper has created the new Ethernet device, it will send a DHCP client request.

In Avaya IP Phone environments, it sends an Option 55 parameter request list, requesting Option 176. When the DHCP server sends Option 176, it decodes the L2QVLAN reply field for the Voice VLAN ID. It then creates a new voice interface and sends a DHCP request.

Why?

VoIP Hopper was written with the specific aim of improving security in VoIP environments by validating Layer 2 protection controls. It is a VLAN test tool that can be used to validate controls in VoIP environments but also anywhere else VLANs are used (basically everywhere).

You can download VoIP Hopper here:

VoIP Hopper 0.9.7

Or read more here.

Posted in: Hacking Tools, Networking Hacking

, , , ,


Latest Posts:


truffleHog - Search Git for High Entropy Strings with Commit History truffleHog – Search Git for High Entropy Strings with Commit History
truffleHog is a Python-based tool to search Git for high entropy strings, digging deep into commit history and branches. This is effective at finding secrets accidentally committed.
AIEngine - AI-driven Network Intrusion Detection System AIEngine – AI-driven Network Intrusion Detection System
AIEngine is a next-generation interactive/programmable Python/Ruby/Java/Lua and Go AI-driven Network Intrusion Detection System engine with many capabilities.
Sooty - SOC Analyst All-In-One CLI Tool Sooty – SOC Analyst All-In-One CLI Tool
Sooty is a tool developed with the task of aiding a SOC analyst to automate parts of their workflow and speed up their process.
UBoat - Proof Of Concept PoC HTTP Botnet Project UBoat – Proof Of Concept PoC HTTP Botnet Project
UBoat is a PoC HTTP Botnet designed to replicate a full weaponised commercial botnet like the famous large scale infectors Festi, Grum, Zeus and SpyEye.
LambdaGuard - AWS Lambda Serverless Security Scanner LambdaGuard – AWS Lambda Serverless Security Scanner
LambdaGuard is a tool which allows you to visualise and audit the security of your serverless assets, an open-source AWS Lambda Serverless Security Scanner.
exe2powershell - Convert EXE to BAT Files exe2powershell – Convert EXE to BAT Files
exe2powershell is used to convert EXE to BAT files, the previously well known tool for this was exe2bat, this is a version for modern Windows.


6 Responses to VoIP Hopper – VLAN Hopping Tool

  1. goodpeople January 15, 2008 at 4:58 pm #

    I’ve never had the opportunity to play in a voip environment. But this sounds like a usefull tool..

  2. eM3rC February 7, 2008 at 5:30 am #

    Seems like it would be a fun thing to play with.

    Anyone know what Stefans Home said?

  3. Pantagruel February 8, 2008 at 12:45 pm #

    Stefans Home said:

    Easy entry into VoIP-lans…

    The main reasons why VoIP is usually sold, is the fact that one can use the already available ethernet structure for both voice and data transport. It is commonplace to separate your data net from the voice net by the use of VLANs (virtual lans).

    We have an Avaya based VoIP system at work, it worked quite well and the ‘holes’ where pluged

  4. eM3rC February 9, 2008 at 8:43 am #

    Thanks for the translation Pantagruel!

    It seems like VoIP would be a good system to use because of the low price and reliable service.

    Could someone confirm that this is how it works? Basically the internet is broad casted over one frequency of the LAN line while the information used for the VoIP service is transmitted over a different frequency hence allowing the information to travel over both lines without interference. (Although I am not sure why someone is required to use those filters when you install DSL).

  5. agentphunk February 14, 2008 at 5:05 am #

    eM3rC: Close but not quite. I think you’re thinking about voip providers like Vonage and perhaps Skype, which do send packets over the internet. This tool is for ‘enterprise’ VoIP, which is anything BUT cheap and packets usually don’t traverse the Internet. Companies used to run and support two infrastructures – data and voice, each with its own routing/switching gear, circuits, cabling, dedicated support teams, different vendors, etc. The two infrastructures didn’t co-mingle that much. VoIP basically does away with the traditional voice infrastructure by digitizing the audio (with a particular codec, for example G.729 or G.711) and stuffing that into routable IP packets. Essentially voice is just another application running across your network. However, its a ‘latency-sensitive’ application that doesn’t like getting delayed, AT ALL, from point A to point B. So although voice and data are ‘riding the same pipe’ you want to be smart about it and segment or differentiate the two types of traffic. Thats where the two VLANs come in: you want your PCs, printers, servers, etc in one subnet / VLAN / ‘broadcast domain’ and your telephony (pronounced tell-eph-O-ni, not telly-phony!) devices in another (no need for your phones to hear all of those damn NetBios broadcasts, right? Plus, you might have 100-200 data devices in a subnet, so that means maybe 100-200 users, which translates to maybe 100-200 phones. That adds up to 500 devices in one subnet – not good.) So you’re going to have a Data VLAN and a Voice VLAN in most enterprise networks, with different IP addressing schemes for each. You’ll also apply QoS (quality of service) settings differently for each subnet, because again you want to ensure your voice packets get priority over big clunky data packets). If you’re -really- interested I can elaborate on the process by which a phone winds up the voice vlan (the tool’s description is 100% accurate, though) but once its there it ‘Tags’ each voice packet using a mechanism called 802.1Q trunking. Each switchport is configured with a ‘native’ VLAN (the data vlan, with no trunking) and a voice vlan that can only be ‘accessed’ when the packets are ‘wrapped’ inside of an 802.1Q packet. So this isn’t about frequencies – its about a way for the IP phones to differentiate themselves from the ‘native’ data vlan, and get all of the added benefits that come with that (specifically the QoS markings that are used ‘upstream’ at the routers to prioritize voice traffic over data traffic, but there’s other benefits too.)

    So what the tool is doing is listening to the mechanism by which a phone learns what the voice VLAN is, and then allowing your PC to do the same thing. The immediate benefit would be that your packets would get that preferential treatment as they cross the corporate wide area network (super fast web surfing!) but in some environments there might be ACL’s on the data vlans that aren’t on voice, perhaps giving you access to voice-infrastructure devices like PBXs etc.)

    HOWEVER, that’s going to get you noticed fairly quickly, I think. Phones talk to other phones and PBXs, not to YouTube and Team Fortress servers. Voip traffic is fairly lightweight – and predominantly UDP not TCP. The network guys (e.g. Me!) have reserved a specific percentage of bandwidth for voice traffic and usually watch that pretty closely.

    Bottom line: looks like an interesting utility but read up on enterprise voip before you use it at work. You can’t claim ignorance on this one; if I caught you using it at my company I’d probably lobby to get you fired :-)

  6. eM3rC February 14, 2008 at 8:20 am #

    @agentphunk
    All I can say is I bow down to you sir… It now seems so much clearer yet more complicated.

    I think I’ll plead ignorant due to the fact I haven’t actually gone into working in the computer field yet.

    @Darknet
    agentphunk’s post should be stickied or something just so other people can learn the ways of VoIP