In the case of WPA-PSK, the network is encrypted, so you need to get the key to decrypt all the traffic and capture the WPA handshake during the sniffing process (Just deautenticate some users). But then, the process is almost the same.
Inside the network, scan the devices with tools such as Nmap to find some network admin panels (ports 80, 443, 8080, etc.). These panels are typically located on the network gateway when the router also acts as an access point.
Then, try to access the panel using the default password or some dictionary brute force attack.
In some cases, the admin panel can modify the network segments, so you can use it to pivot or perform port forwarding, accessing other network resources.
Some wireless networks use a captive portal to authenticate users. It is necessary to examine the captive portal looking for vulnerabilities that could lead to access to the device or the network.
Captive portals use web pages asking for credentials to check the client's authenticity and allow it to enter the network.
In this task, you should evaluate the web security by bypassing the authentication mechanism or exploiting any other vulnerability that could compromise the company's security.
Unauthenticated access to other network segments
The captive portals introduce the client to a preventing network until it is authenticated and moved to the internal network.
You need to check if you can get access to other networks. For that, you can use the following tools.