VoIP Hopper – VLAN Hopping Tool

The New Acunetix V12 Engine

VoIP Hopper is a GPLv3 licensed security tool, written in C, that rapidly runs a VLAN Hop into the Voice VLAN on specific Ethernet switches. VoIP Hopper does this by mimicking the behavior of an IP Phone, in both Cisco and Avaya IP Phone environments.

In Cisco IP Phone networks, it first dissects either IEEE 802.3 or Ethernet II for Cisco Discovery Protocol (CDP) packets. If CDP is enabled on the switch port and the Voice VLAN feature is enabled, it will determine the Voice VLAN ID (VVID).

This will allow the tool to create a new Ethernet interface on the PC that tags the 802.1q VLAN header in the Ethernet packet. After VoIP Hopper has created the new Ethernet device, it will send a DHCP client request.

In Avaya IP Phone environments, it sends an Option 55 parameter request list, requesting Option 176. When the DHCP server sends Option 176, it decodes the L2QVLAN reply field for the Voice VLAN ID. It then creates a new voice interface and sends a DHCP request.


VoIP Hopper was written with the specific aim of improving security in VoIP environments by validating Layer 2 protection controls. It is a VLAN test tool that can be used to validate controls in VoIP environments but also anywhere else VLANs are used (basically everywhere).

You can download VoIP Hopper here:

VoIP Hopper 0.9.7

Or read more here.

Posted in: Hacking Tools, Networking Hacking

, , , ,

Latest Posts:

HTTP Security Considerations - An Introduction To HTTP Basics HTTP Security Considerations – An Introduction To HTTP Basics
HTTP is ubiquitous now with pretty much everything being powered by an API, a web application or some kind of cloud-based HTTP driven infrastructure. With that HTTP Security becomes paramount and to secure HTTP you have to understand it.
Cangibrina - Admin Dashboard Finder Tool Cangibrina – Admin Dashboard Finder Tool
Cangibrina is a Python-based multi platform admin dashboard finder tool which aims to obtain the location of website dashboards by using brute-force, wordlists etc.
Enumall - Subdomain Discovery Using Recon-ng & AltDNS Enumall – Subdomain Discovery Using Recon-ng & AltDNS
Enumall is a Python-based tool that helps you do subdomain discovery using only one command by combining the abilities of Recon-ng and AltDNS.
RidRelay - SMB Relay Attack For Username Enumeration RidRelay – SMB Relay Attack For Username Enumeration
RidRelay is a Python-based tool to enumerate usernames on a domain where you have no credentials by using a SMB Relay Attack with low privileges.
NetBScanner - NetBIOS Network Scanner NetBScanner – NetBIOS Network Scanner
NetBScanner is a NetBIOS network scanner tool that scans all computers in the IP addresses range you choose, using the NetBIOS protocol.
Metta - Information Security Adversarial Simulation Tool Metta – Information Security Adversarial Simulation Tool
Metta is an information security preparedness tool in Python to help with adversarial simulation and assess security defense preparation and alerts.

6 Responses to VoIP Hopper – VLAN Hopping Tool

  1. goodpeople January 15, 2008 at 4:58 pm #

    I’ve never had the opportunity to play in a voip environment. But this sounds like a usefull tool..

  2. eM3rC February 7, 2008 at 5:30 am #

    Seems like it would be a fun thing to play with.

    Anyone know what Stefans Home said?

  3. Pantagruel February 8, 2008 at 12:45 pm #

    Stefans Home said:

    Easy entry into VoIP-lans…

    The main reasons why VoIP is usually sold, is the fact that one can use the already available ethernet structure for both voice and data transport. It is commonplace to separate your data net from the voice net by the use of VLANs (virtual lans).

    We have an Avaya based VoIP system at work, it worked quite well and the ‘holes’ where pluged

  4. eM3rC February 9, 2008 at 8:43 am #

    Thanks for the translation Pantagruel!

    It seems like VoIP would be a good system to use because of the low price and reliable service.

    Could someone confirm that this is how it works? Basically the internet is broad casted over one frequency of the LAN line while the information used for the VoIP service is transmitted over a different frequency hence allowing the information to travel over both lines without interference. (Although I am not sure why someone is required to use those filters when you install DSL).

  5. agentphunk February 14, 2008 at 5:05 am #

    eM3rC: Close but not quite. I think you’re thinking about voip providers like Vonage and perhaps Skype, which do send packets over the internet. This tool is for ‘enterprise’ VoIP, which is anything BUT cheap and packets usually don’t traverse the Internet. Companies used to run and support two infrastructures – data and voice, each with its own routing/switching gear, circuits, cabling, dedicated support teams, different vendors, etc. The two infrastructures didn’t co-mingle that much. VoIP basically does away with the traditional voice infrastructure by digitizing the audio (with a particular codec, for example G.729 or G.711) and stuffing that into routable IP packets. Essentially voice is just another application running across your network. However, its a ‘latency-sensitive’ application that doesn’t like getting delayed, AT ALL, from point A to point B. So although voice and data are ‘riding the same pipe’ you want to be smart about it and segment or differentiate the two types of traffic. Thats where the two VLANs come in: you want your PCs, printers, servers, etc in one subnet / VLAN / ‘broadcast domain’ and your telephony (pronounced tell-eph-O-ni, not telly-phony!) devices in another (no need for your phones to hear all of those damn NetBios broadcasts, right? Plus, you might have 100-200 data devices in a subnet, so that means maybe 100-200 users, which translates to maybe 100-200 phones. That adds up to 500 devices in one subnet – not good.) So you’re going to have a Data VLAN and a Voice VLAN in most enterprise networks, with different IP addressing schemes for each. You’ll also apply QoS (quality of service) settings differently for each subnet, because again you want to ensure your voice packets get priority over big clunky data packets). If you’re -really- interested I can elaborate on the process by which a phone winds up the voice vlan (the tool’s description is 100% accurate, though) but once its there it ‘Tags’ each voice packet using a mechanism called 802.1Q trunking. Each switchport is configured with a ‘native’ VLAN (the data vlan, with no trunking) and a voice vlan that can only be ‘accessed’ when the packets are ‘wrapped’ inside of an 802.1Q packet. So this isn’t about frequencies – its about a way for the IP phones to differentiate themselves from the ‘native’ data vlan, and get all of the added benefits that come with that (specifically the QoS markings that are used ‘upstream’ at the routers to prioritize voice traffic over data traffic, but there’s other benefits too.)

    So what the tool is doing is listening to the mechanism by which a phone learns what the voice VLAN is, and then allowing your PC to do the same thing. The immediate benefit would be that your packets would get that preferential treatment as they cross the corporate wide area network (super fast web surfing!) but in some environments there might be ACL’s on the data vlans that aren’t on voice, perhaps giving you access to voice-infrastructure devices like PBXs etc.)

    HOWEVER, that’s going to get you noticed fairly quickly, I think. Phones talk to other phones and PBXs, not to YouTube and Team Fortress servers. Voip traffic is fairly lightweight – and predominantly UDP not TCP. The network guys (e.g. Me!) have reserved a specific percentage of bandwidth for voice traffic and usually watch that pretty closely.

    Bottom line: looks like an interesting utility but read up on enterprise voip before you use it at work. You can’t claim ignorance on this one; if I caught you using it at my company I’d probably lobby to get you fired :-)

  6. eM3rC February 14, 2008 at 8:20 am #

    All I can say is I bow down to you sir… It now seems so much clearer yet more complicated.

    I think I’ll plead ignorant due to the fact I haven’t actually gone into working in the computer field yet.

    agentphunk’s post should be stickied or something just so other people can learn the ways of VoIP