Hacking the HandLink Gateway

by secuid0

Many cafes, restaurants, pubs, and other shops offer to their customers Internet access through Wi-Fi as they know that it's pivotal for drawing in customers and securing their repeat business.

Usually, all customers have to do is buy a cup of coffee and enjoy free Internet for x minutes.  In some other cases though, shops are preferring to get some revenue out of this service, which means customers have to purchase a Wi-Fi voucher directly at the counter.

One of the most common low-cost deployed solutions which handles the authentication, authorization, and accounting for the Internet access is the HandLink WG-500P Hotspot Gateway.

This is a small wireless subscriber gateway.  It's dead easy for non-tech-savvy staff to operate it; the store representatives with the press of a button can issue a voucher which is printed through the built-in thermal printer.

In order for the customers to use the voucher, first they will have to connect to the cafe Wi-Fi.

The captive portal (pointing at http://1.1.1.1, http://192.168.1.1, or http://192.168.88.251, etc.) will prompt them to enter a valid username and password into the login form.  If the combination is correct, then access is granted.

Now let's imagine the below scenario:

  • We are at a nearby location where cafe Wi-Fi has coverage.
  • We are neither hungry nor thirsty.
  • We need access to the Internet to download an ISO or the latest fappening leak.
  • We may or may not have left our wallet and credit card at home.
  • The shop is using these nifty HandLink WG-500P machines.

One thing we can do is point our browser at http://10.59.1.1 (this is the internal LAN IP address of HandLink WG-500P) and try the following usernames / passwords:

  1.   admin/admin
  2.   supervisor/supervisor
  3.   account/account
  4.   super/super

Chances are you will find combinations No. 1 and No. 2 invalid, but not No. 3 and No. 4.

Once you login, then issue the following POST request (to create the request, you may use Burp Proxy, OWASP ZAP, and/or if Firefox is your favorite browser, you may use the HackBar add-on - it's pretty simple):

http://10.59.1.1/webAccountGenerator.cgi
POST data: "button=0&webAccountGeneratorHandler="

On the spot, a voucher will be generated for you and will be displayed on your screen.

Use the newly created login at http://192.168.1.1 and voilà, profit.

Although the whole approach may or may not work and cannot be considered as a fancy hack, it's worth trying.

Happy surfing.

Return to $2600 Index