When pen-testing a corporation, always look for the Guest WLAN. If there is one and you manage to get on it, you are in luck!
Corporate Guest WLANs are a great place to get a lot of interesting and possibly confidential information without much effort. And this is simply because there are a lot of corporate laptops on the same WLAN.
Ofcourse, you'll discuss that the corporate devices have wired access to the internet, which is much more reliable and faster. But also, the wired infrastructure is fully controlled by IT - with web filters, content filters etc. So on the guest WLAN you can easily find the following high-profile targets related to the corporation:
- corporate laptop holders - usually employees higher in the hierarchy who just got bored from the restrictions of the corporate Internet filters can easily turn on their wi-fi and check the private e-mail, or just download something.
- corporate guests - most visitors to corporations have WLAN enabled devices, ranging from mobile phones/pda, over netbooks to full blown laptops
- external contractors - a lot of corporations will isolate external contractors to the guest WLAN for internet access.
The following diagram is an example of hunting for interesting targets in the corporate WLAN
The diagram clearly depicts the high concentration of possible high profile targets - marked in red color.
One can always make the argument that the same attack can be made within a Mall, or even in the home networks of those interesting targets. This argument is completely true, but in a Mall your high profile targets are blended in the multitude of the students, casual freebie surfers and even the mall store clerks with their WLAN devices.
And the home environment is even more difficult, because the high profile targets are dispersed all over the city, and you may not know where they reside. So, sniffing the networks one specific high profile target will bring a lot of costs to the attacker.
The following diagram is an example of the difficulties in sniffing for interesting targets in the home or public places WLAN
So, for my money, I'll always prefer to sniff for traffic in the corporate guest WLAN
Talkback and comments are most welcome
5 Rules to Home Wi-Fi Security
Example - Bypassing WiFi MAC Address Restriction
Obtaining a valid MAC address to bypass WiFi MAC Restriction
DHCP Security - The most overlooked service on the network