While conducting a wireless site survey of a 500 000-square-foot distribution center, a penetration tester detects steady 802.11 RF energy on channels 1, 6, and 149. However, the tester's laptop-running standard active scanning utilities-shows no SSID or BSSID for the sources. Spectrum analysis confirms the signals are management traffic rather than non-Wi-Fi interference. The client asks the tester to identify the network names and MAC addresses of the rogue devices so they can be physically located. Which action will most reliably expose the hidden SSIDs and their associated BSSIDs?
Send continuous null probe requests on every channel to solicit responses
Place a Wi-Fi adapter in monitor mode and capture management frames on all channels
Configure switch port mirroring on the plant VLANs and inspect mirrored traffic
Launch a brute-force WPA2 handshake capture and dictionary attack against each frequency
Putting a wireless adapter into monitor mode lets the tester passively capture 802.11 management frames-beacons, probe responses, and especially association requests. These frames contain the SSID field even when an access point has "SSID broadcast" disabled, so reviewing them in a protocol analyzer will reveal the hidden network names and corresponding BSSIDs. Brute-forcing WPA2 handshakes targets authentication rather than discovery and does not guarantee identifier recovery. Port-mirrored switch traffic is wired, not RF, and therefore misses over-the-air management frames. Flooding null probe requests can be ignored by many modern APs and still requires subsequent passive capture to see any replies.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are management frames, and why are they important in Wi-Fi signal analysis?
Open an interactive chat with Bash
What equipment or tools are needed to capture management frames on all frequencies?
Open an interactive chat with Bash
Why do the other methods (like guessing passphrases or port mirroring) fail to uncover hidden signals?