Do an in-depth Internet search about the target area or corporation. Never underestimate the power of Google. The area you are going to map for expected WLANs could've been mapped by someone else before, with results published on the Web on some wardriving site, message board, or blog. There are plenty of wireless community sites that publish information about public and enthusiast wireless network locations and names. An example of such a site in the United Kingdom is http://www.consume.net. A Royal London example of a consume.net community WLAN map is shown in Figure 7-1 (but there are far more wireless networks in that part of London than shown on a given map, trust us). An interesting link about wireless network mapping in the United States with further links to more specific community sites is http://www.cybergeography.org/atlas/wireless.html. Check it out. The most broad and comprehensive list of wireless community networks worldwide is published at WiGLE (http://www.wigle.net) that contains more than 1,000,000 WLANs worldwide and http://www.personaltelco.net/index.cgi/WirelessCommunities. You are likely to find some in your evaluation area simply by browsing the list. Apart from finding the known site wireless networks by online searching, you might also find useful information about possible sources of RF interference in the area such as radio stations operating in microwave range, large industrial complexes, and so on.
Figure 7.1. Public networks in London according to Consume.net.
Conduct an extensive search and find out as much as you can about the specific target and client network(s), both wireless and wired sides. This is a normal footprinting procedure that must precede any penetration testing mission independent of the network type. Is the wireless network somehow accessible from the Internet? What is its topology? Size? Which protocols are used? Which departments in the enterprise use it? Who set the network up and who is the network administrator or manager? Is he or she known in the wireless world, certified in wireless networking, or has he or she earned a relevant degree? Did he or she ever post any questions, comments, or advice to relevant message boards or newsgroups? You might be surprised how much information could be available about the network you target. Of course, you should extract as much information about the target network from your client management and administration and never miss an opportunity to use social engineering to find out what they won't tell an outside consultant. You don't have to be called "Kevin" to be a good social engineer; check the tips at http://packetstormsecurity.nl/docs/social-engineering/ and use common sense and situational adaptation to succeed.