The excursion started while understanding mitigation techniques for various attacks on wireless networks. It evolved past timing monitoring, fuzzing, packet inspection, pattern recognition, intrusion detection, intrusion prevention, so on and on and on. So many ways to attack and indeed, so many ways to prevent. An obvious question that might pop (|| push ?) here is, what big difference our approaches making in this regard? Well, the answer is multifold. The one line compression of the multifold is Either smuggle the data in legit communication or make it invisible otherwise. This may sound little unorganized, but holds a lot of connecting links, strong enough for sure. So where in the packet data sits? For a normal user, it sits in the PAYLOAD field. Here comes rule (|| obligation?), Do not abide by RFCs and standards. So for us, data does not sit in payload field. The data sits somewhere else. The full discussion will follow in respective para. #1.Information elements approach Beacon frame is essential element in the wireless networks abiding by IEEE 802.11 STANDARDS. As it's been said, easy to see is easy to miss, these beacon frames can actually lead us to something interesting should they be used in different way. Beacon frame populates air with a rate of around one frame per 100 milliseconds. Stats may vary with tweaks in the access point properties though. The intelligence we will be using here about beacon frames is, they are abundantly available, requires no authentication and/or association with access points to listen to them (lot and lots of viral, indeed!). Zeroing down on the frame structure, we found many avenues for shipping the data, though no official ""payload"" parameter is available. The parameters of interest are: Information elements like SSID, DSset, TIM, Rates, ESRates, initialization vector, Rates, FHset, CFset, TIM, IBSSset, challenge, ERPinfo, QoS Capability, ERPinfo, RSNinfo, vendor, challenge text, extended support rate, TPC report, reserved and many more. Delving further on frame categories we have found that even probe request and response frames are capable of shipping such data with little legit (|| illegit?) tweak in the format. Proof of Concept: All around the IEEE802.11 implementation, ACK frames or RESPONSE frames are of significance to reply to certain communication initiated by the remote host earlier. This infers the trust is already in place between two hosts. Now thanks to monitor mode, the responses or acknowledgements sent by unsolicited user will receive little low priority of inspection as it has been assumed that such responses are bound to come from a legit source on peripheral devices. A minute subversion to information elements approach: Can we ship the earlier discussed Information Elements with data here as well? Yes, certainly. The response traffic is always made more intelligent as they are capable of assigning sequence and discipline the traffic at receiver end. This provides more comfort to an attacker. Reassembling of the data chunks at receiver end made easy for him. The parameters which could come handy are, Frame Control, Frame Control Sequence, More Data, More Fragments, Sequence Numbers, BSSID, ESSID and essentially ""Source Address"" etc.