VoIP Hopper – Opensource Security tool to test VoIP

In: OpenSource, Security, voip
Tagged: , , , , , , , ,

VoIP Hopper is a Unix/Linux based free opensource security tool that rapidly runs a VLAN Hop into the Voice VLAN on specific Ethernet switches. VoIP Hopper mimicks the behavior of an IP Phone, in both Cisco and Avaya IP Phone environments to hope into the Voice VLAN.  VoIP Hopper is both a VLAN Hop test tool and a tool to test VoIP infrastructure security. 

In Cisco IP Phone networks, it first dissects either IEEE 802.3 or Ethernet II for Cisco Discovery Protocol (CDP) packets. If CDP is enabled on the switch port and the Voice VLAN feature is enabled, it will determine the Voice VLAN ID (VVID). This will allow the tool to create a new Ethernet interface on the PC that tags the 802.1q VLAN header in the Ethernet packet. After VoIP Hopper has created the new Ethernet device, it will send a DHCP client request. It can also generate CDP messages just as an IP Phone based on CDP would do.  It will send two CDP packets, requesting the Voice VLAN ID.  After creating the new interface, it will then iterate between sleeping for 60 seconds, and sending a CDP packet.

In Avaya IP Phone environments, it sends an Option 55 parameter request list, requesting Option 176.  When the DHCP server sends Option 176, it decodes the L2QVLAN reply field for the Voice VLAN ID.  It then creates a new voice interface and sends a DHCP request.

VOIP Hopper can be downloaded from here

VOIP Hopper requires

libpcap – For Sniffing

GNU C Compiler & Make utility to install

To install

Unzip & Untar VOIP Hopper

debian# tar -zxvf voiphopper-0.9.9.tar.gz

Change Directory and Install

debian# cd voiphopper-0.9.9

debian:~/voiphopper-0.9.9# make

This installs VoIP Hopper on your Linux distribution.

Now, some of the usage examples are

Sniff CDP & VoIP Hop

debian# voiphopper -i eth1 -c 0

where "eth1" is the interface

-c = 0 – Defines sniffing

Spoof CDP & VoIP Hop in Cisco SIP environment

debian# voiphopper -i eth1 -c 1 -E 'SIP00070EEA5086' -P 'Port 1' -C Host -L 'Cisco IP Phone 7940' -S 'P003-08-8-00' -U 1

Spoof CDP & VoIP HOP in Cisco SCCP environment

debian# voiphopper -i eth1 -c 1 -E 'SEP0070EEA5086' -P 'Port 1' -C Host -L 'Cisco IP Phone 7940' -S 'P00308000700' -U 1

VLAN Hop without CDP Sniffing (if VLAN ID is known)

debian# voiphopper -i eth1 -v 200

Discover Voice VLAN in Avaya IP Phone environment

debian# voiphopper -i eth1 -a

Spoof MAC Address of an IP Phone by sniffing for CDP

debian# voiphopper -i eth1 -c 0 -m AA:AA:AA:AA:AA:AA

Spoof MAC Address of an IP Phone using Avaya DHCP request

debian# voiphopper -i eth1 -a -m AA:AA:AA:AA:AA:AA
 
Spoof MAC Address of an IP Phone by VLAN Hopping without CDP or DHCP

debian# voiphopper -i eth1 -v 200 -m AA:AA:AA:AA:AA:AA

Spoof MAC Address of IP Phone without changing the MAC Address of default ethernet interface

debian# voiphopper -i eth1 -v 200 -m AA:AA:AA:AA:AA:AA -D

1 Comment

Leave a Reply

Your email address will not be published. Required fields are marked *