Sniffing & Spoofingvoipvlancdpspoofingsecurity-testingnetwork

VoIP Hopper

VoIP Hopper is a security tool that performs VLAN hop tests and VoIP infrastructure security assessments. It enables rapid testing of VLAN security and VoIP network configurations through CDP sniffing and spoofing.

Description

VoIP Hopper is a GPLv3 licensed security tool written in C that rapidly executes VLAN Hop security tests. Primarily designed for VoIP infrastructure security testing, it also serves as a general VLAN security assessment tool. The tool helps identify VLAN misconfigurations and potential security weaknesses in VoIP deployments.

Key use cases include testing Cisco IP phone VLAN hopping, CDP protocol analysis, and Avaya DHCP option discovery. Security professionals use it to validate voice VLAN isolation and detect improper switch configurations that could allow data and voice traffic mixing.

The tool supports multiple VoIP vendors including Cisco (SIP/SCCP firmware) and Avaya systems, making it versatile for enterprise VoIP security audits.

How It Works

VoIP Hopper operates by manipulating network interfaces to hop between VLANs, primarily targeting VoIP-specific protocols like CDP (Cisco Discovery Protocol) and DHCP options used by VoIP phones. In CDP sniff mode (-c 0), it captures CDP packets to discover voice VLAN configurations. CDP spoof mode (-c 1) crafts spoofed CDP packets with phone-specific parameters (Device ID, Platform, Software version) to trick switches into assigning voice VLAN access.

VLAN Hop mode (-v) creates subinterfaces for specific VLAN IDs while ARP analysis and MAC spoofing maintain stealth. Avaya mode (-a) exploits DHCP option 176/242 for VLAN discovery. The tool uses libpcap for packet capture and requires root privileges for raw socket operations and interface manipulation.

Installation

bash

sudo apt install voiphopper

Flags

-lList available interfaces for CDP sniffing, then exit

-mSpoof the MAC Address of existing interface and new Interface (used with -a, -v, or -c options)

-dDelete the VLAN Interface, then exit

-VPrint the VoIP Hopper version, then exit

-DSpoof the MAC Address of only new Voice Interface (with -m)

-c 0CDP Sniff Mode

-c 1CDP Spoof Mode

-E <string>Device ID (CDP Spoof Mode)

-P <string>Port ID (CDP Spoof Mode)

-C <string>Capabilities (CDP Spoof Mode)

-L <string>Platform (CDP Spoof Mode)

-S <string>Software (CDP Spoof Mode)

-U <string>Duplex (CDP Spoof Mode)

-aAvaya DHCP Option Mode

-v VLAN IDVLAN Hop Mode

-t 0|1|2Alcatel VLAN Discovery

-iSpecify network interface

-zAssessment mode with ARP analysis

Examples

VoIP Hopper assessment mode with ARP packet analysis on eth0 interface

voiphopper -i eth0 -z

List available interfaces for CDP sniffing, then exit

voiphopper -l

Spoof the MAC Address, then exit

voiphopper -i eth0 -m 00:07:0E:EA:50:86

CDP Sniff Mode

voiphopper -i eth0 -c 0

CDP Spoof Mode for SIP Firmware Phone

voiphopper -i eth0 -c 1 -E 'SIP00070EEA5086' -P 'Port 1' -C Host -L 'Cisco IP Phone 7940' -S 'P003-08-8-00' -U 1

CDP Spoof Mode for SCCP Firmware Phone

voiphopper -i eth0 -c 1 -E 'SEP0070EEA5086' -P 'Port 1' -C Host -L 'Cisco IP Phone 7940' -S 'P00308000700' -U 1

CDP Spoof Mode for Phone with MAC Spoofing

voiphopper -i eth0 -m 00:07:0E:EA:50:86 -c 1 -E 'SEP00070EEA5086' -P 'Port 1' -C Host -L 'Cisco IP Phone 7940' -S 'P003-08-8-00' -U 1

Avaya DHCP Option Mode

voiphopper -i eth0 -a

VLAN Hop Mode to VLAN 200

voiphopper -i eth0 -v 200

Alcatel VLAN Discovery mode 0

voiphopper -i eth0 -t 0

Updated 2026-04-16kali.org ↗