A pentester discovers an unencrypted wireless access point in a public space and aims to capture the 4-way handshake. What is the most appropriate first step?

The key idea is that capturing a 4-way handshake requires observing the WPA/WPA2 authentication exchange that happens when a client connects to a protected AP. The safest, most appropriate first step is to use a wireless sniffer in passive monitor mode to listen and collect traffic without sending any frames. This non-intrusive approach lets you see whether any protected sessions occur and, if so, capture the handshake without disrupting users. In this scenario, the AP is unencrypted, so there isn’t a 4-way handshake to capture; nevertheless, starting with passive monitoring still helps verify the network’s security posture and avoids interference. The other options are invasive or impractical as a first move: brute-forcing a PSK isn’t feasible without a handshake to start from and is typically illegal without explicit permission; forcing a handshake by disconnecting clients is disruptive; and reconfiguring someone else’s AP (to enforce WPA2-Enterprise) requires admin access and is not an appropriate action in a public space.