Hacking the HandLink Gateway
by secuid0
Many cafes, restaurants, pubs, and other shops offer to their customers Internet access through Wi-Fi as they know that it's pivotal for drawing in customers and securing their repeat business.
Usually, all customers have to do is buy a cup of coffee and enjoy free Internet for x minutes. In some other cases though, shops are preferring to get some revenue out of this service, which means customers have to purchase a Wi-Fi voucher directly at the counter.
One of the most common low-cost deployed solutions which handles the authentication, authorization, and accounting for the Internet access is the HandLink WG-500P Hotspot Gateway.
This is a small wireless subscriber gateway. It's dead easy for non-tech-savvy staff to operate it; the store representatives with the press of a button can issue a voucher which is printed through the built-in thermal printer.
In order for the customers to use the voucher, first they will have to connect to the cafe Wi-Fi.
The captive portal (pointing at http://1.1.1.1, http://192.168.1.1, or http://192.168.88.251, etc.) will prompt them to enter a valid username and password into the login form. If the combination is correct, then access is granted.
Now let's imagine the below scenario:
- We are at a nearby location where cafe Wi-Fi has coverage.
- We are neither hungry nor thirsty.
- We need access to the Internet to download an ISO or the latest fappening leak.
- We may or may not have left our wallet and credit card at home.
- The shop is using these nifty HandLink WG-500P machines.
One thing we can do is point our browser at http://10.59.1.1 (this is the internal LAN IP address of HandLink WG-500P) and try the following usernames / passwords:
- admin/admin
- supervisor/supervisor
- account/account
- super/super
Chances are you will find combinations No. 1 and No. 2 invalid, but not No. 3 and No. 4.
Once you login, then issue the following POST request (to create the request, you may use Burp Proxy, OWASP ZAP, and/or if Firefox is your favorite browser, you may use the HackBar add-on - it's pretty simple):
http://10.59.1.1/webAccountGenerator.cgi POST data: "button=0&webAccountGeneratorHandler="On the spot, a voucher will be generated for you and will be displayed on your screen.
Use the newly created login at http://192.168.1.1 and voilà, profit.
Although the whole approach may or may not work and cannot be considered as a fancy hack, it's worth trying.
Happy surfing.