Scope Mode: Passive Recon Without Sending a Single Packet

The first thirty minutes of any physical engagement should be silent. No scanning, no poisoning, no rogue APs -- just listening. Scope mode is the Phantom's passive reconnaissance engine. It records full packet captures, builds a network asset map from observed traffic, enumerates every WiFi network and Bluetooth device in range, and does all of it without transmitting a single packet on the target network. If you're deploying active attacks before you understand the environment, you're taking unnecessary risk.

What Does "Passive" Actually Mean?

Passive reconnaissance means zero transmitted packets on the target network. The Phantom's interfaces are placed in monitor mode (for WiFi) and passive scanning mode (for Bluetooth), which means they receive and record frames without sending any. No probe requests, no association attempts, no ARP packets, no DNS lookups, no ICMP -- nothing that could appear in the target's logs, SIEM, or network monitoring tools.

This is a stronger guarantee than simply not running nmap. Even connecting to a network passively (associating with an AP and getting a DHCP lease) generates traffic: DHCP discover/request, ARP announcements, mDNS queries, and potentially NetBIOS name registrations. Scope mode never associates with any network. The WiFi radio stays in monitor mode, and the wired Ethernet interface (if connected via Tap mode's bridge) can be placed in promiscuous receive-only mode to sniff traffic without generating any of its own.

The distinction matters for engagements with strict rules of engagement around detection. Some clients want to know if their monitoring can detect an active attacker; others want a baseline assessment before any active testing begins. Scope mode gives you the latter with zero risk of triggering alerts.

How Does Full PCAP Recording Work?

Scope mode writes full packet captures to the Phantom's encrypted partition. Every frame received on every interface -- WiFi, Bluetooth, and wired -- is captured in standard pcap-ng format, rotated by size and time to keep individual files manageable. The encrypted partition uses LUKS2 with AES-256-XTS, and the decryption key is held only on the device and in the operator's key material -- not on the relay, not in the dashboard backend.

Full PCAP is the ground truth of the engagement. After recovery, you can analyze the captures in Wireshark, feed them into network forensics tools, or re-process them with custom scripts. But the real value of Scope mode is what it extracts in real time from those captures, so you don't have to wait for physical retrieval to understand the environment.

How Does Scope Discover Network Assets Without Scanning?

Without sending a single packet, you can build a surprisingly complete picture of a network just by watching what's already on the wire. Scope mode parses live traffic from the wired interface (when deployed via Tap mode's bridge) to identify hosts, services, and network topology.

ARP Traffic

ARP requests and replies reveal IP-to-MAC mappings for every active host on the local subnet. Within minutes on a busy network, Scope builds a host table that rivals an nmap ping sweep -- without sending a single ARP request of its own. Gratuitous ARP announcements from hosts coming online, DHCP renewals triggering ARP, and normal communication patterns all feed into the map. The OUI (first three octets of the MAC address) is resolved to identify device manufacturers, which immediately distinguishes workstations (Dell, Lenovo, HP) from printers (Xerox, HP), phones (Apple, Samsung), IoT devices (Espressif, Raspberry Pi Foundation), and network equipment (Cisco, Aruba, Meraki).

DHCP Traffic

DHCP discover and request packets contain the client hostname (option 12), vendor class identifier (option 60), and requested parameters (option 55). The parameter request list is particularly useful for OS fingerprinting -- Windows, macOS, Linux, iOS, and Android all request different combinations of DHCP options in different orders. DHCP ACKs from the server reveal the subnet mask, default gateway, DNS servers, domain name, and lease durations, giving you the network configuration without needing to request it.

DNS Traffic

DNS queries and responses are a goldmine. Internal hostnames, Active Directory domain names (from SRV lookups for _ldap._tcp, _kerberos._tcp, _gc._tcp), internal web applications, printer names, and service discovery all flow through DNS. Scope aggregates DNS data into a searchable table of hostnames, resolved IPs, and query frequencies. High-frequency queries to specific internal hosts often indicate critical infrastructure (domain controllers, file servers, internal web apps).

mDNS and NetBIOS

Multicast DNS (mDNS, port 5353) and NetBIOS Name Service (port 137) are broadcast/multicast protocols that announce device names and services to the local network. Apple devices broadcast mDNS records for AirPlay, AirDrop, and printer sharing. Windows machines announce NetBIOS names and workgroup/domain membership. Linux machines running Avahi broadcast their hostnames and advertised services.

These protocols are particularly valuable because they're chatty by design -- devices announce themselves periodically without being asked. Scope captures every mDNS and NetBIOS announcement and correlates them with the ARP/DHCP data to build a rich profile of each host: IP address, MAC address, manufacturer, hostname, OS family, and advertised services. All without transmitting.

What WiFi Intelligence Does Scope Capture?

The Phantom's WiFi radio in monitor mode captures every 802.11 frame in range -- beacons, probe requests, probe responses, authentication frames, association frames, and data frames. From this, Scope extracts a complete picture of the wireless environment.

For each access point: SSID, BSSID, channel, encryption type (Open, WEP, WPA, WPA2-PSK, WPA2-Enterprise, WPA3-SAE), signal strength (RSSI), supported rates, vendor (from OUI), and client count. Hidden networks (those that don't broadcast their SSID in beacons) are identified by the presence of beacon frames with empty SSID fields, and the actual SSID is often recoverable from probe response frames when a client that knows the SSID connects.

For each client: MAC address, associated AP (if any), probe requests (revealing the SSIDs the device is looking for -- which often includes home networks, hotel WiFi, and previously visited locations), signal strength, and data rates. Probe requests from unassociated clients are especially useful: they reveal what networks the device trusts, which directly informs Siren mode's target selection for evil twin attacks.

The channel survey maps RF utilization across all 2.4 GHz and 5 GHz channels, identifying congestion, interference sources, and optimal channels for Siren mode deployment. Understanding the RF environment before deploying an evil twin significantly improves success rates.

What Bluetooth and BLE Devices Does Scope Find?

Parallel to WiFi enumeration, the Bluetooth radio performs passive scanning for BLE advertisements and classic Bluetooth inquiry responses. Every device that advertises or responds to inquiry scans from other devices (not from the Phantom -- the Phantom only listens) is logged with its address, device name, device class, service UUIDs, manufacturer data, TX power, and RSSI.

BLE advertisements are broadcast continuously by design, so passive scanning yields comprehensive results quickly. Classic Bluetooth is harder -- devices only respond to inquiry scans, and the Phantom doesn't send them in passive mode. However, classic Bluetooth devices that are actively communicating can be detected by monitoring the Bluetooth frequency hopping spectrum, though this requires specialized processing and yields less detail than BLE passive scanning.

The Bluetooth inventory feeds directly into Fang mode's target selection. Knowing which devices are present, what services they expose, and what manufacturers built them lets the operator prioritize targets before enabling any active Bluetooth attacks.

Stealth Mode and the Master Toggle

Scope mode includes a stealth toggle that enforces passive-only operation at the system level. When stealth mode is active, the firmware prevents any active mode (Venom, Siren, Fang, Tap in active bridge mode) from starting. This is not just a UI restriction -- the kernel-level network stack is configured to drop all outgoing frames on monitored interfaces, and the control daemon refuses to start any service that would transmit.

Stealth mode is the "prove to the client that we were completely passive" setting. When an engagement requires demonstrable passive-only operation (some compliance frameworks and RoE documents require it), the stealth toggle provides a verifiable guarantee that no packets were sent. The device's audit log records the stealth mode state, and the PCAP captures can be analyzed post-engagement to confirm zero transmitted frames.

Can Scope Run Alongside Active Attack Modes?

Outside of stealth mode, Scope runs concurrently with active modes. The most common combination is Scope on the WiFi and Bluetooth radios while Venom runs on the wired interface. This gives you passive wireless reconnaissance while actively harvesting credentials on the wire -- the wireless map helps plan next steps (which SSIDs to target with Siren, which BLE devices to probe with Fang) while Venom collects hashes and relays NTLM authentication.

Scope's output updates the dashboard in real time via the relay. The operator sees the network map, wireless environment, and Bluetooth inventory populate as the Phantom listens. When enough intelligence has been gathered, the operator can make informed decisions about which active modes to enable and against which targets -- rather than spray-and-pray with every tool at once.

Why Should You Start with Passive Recon?

The argument for starting passive is straightforward: you cannot un-send a packet. If Venom poisons the wrong subnet, if Siren targets an SSID that belongs to a tenant you're not authorized to test, if Fang connects to a medical device that crashes when probed -- those are scope violations, potential safety issues, and engagement-ending mistakes. Thirty minutes of passive reconnaissance gives you the information to avoid all of them.

Scope mode also establishes a baseline for comparison. If the client later claims the engagement caused a network outage, the PCAP recordings from before any active testing began provide evidence of what the network looked like in its normal state. This baseline has protected operators from false blame more than once.

For the Scout, passive reconnaissance is the entire mission. The Scout runs Scope continuously -- enumerating WiFi and Bluetooth, recording probe requests, mapping the wireless environment -- and reports everything to the dashboard. Deploy a Scout during the site survey, retrieve the data, and use it to plan the Phantom deployment. Know the environment before you commit the heavy hardware.