Question Number 1: As I understand it, hidden SSID's can be "discovered" with Kismet if you are scanning when a client just happens to be connecting. Does KisMac have this functionality? I read that it's unlikely to find a hidden SSID because you just have to be in the right place, on the right CHANNEL (not hopping), at the right time.
Question Number 2: Would it seem feasible to spoof 'disassociate' frames from the client, and force them to need to auto-reconnect?
Question Number 3: How about a disassociate option under 'cracking'. This may be WAY off, so feel free to SPAM me. I'm not sure how that all would work. I'm betting it would require "raw frames" to be written to the WiFi card. Mich, if you want to punch me for asking this, I will fly out there (from the States) and prepare for the blow.
It may be a little far fetched, but I see many suggestion hidden SSID's as a method of security in place of WEP (because of speed loss with WEP). I have also seen some hidden SSID networks (around a local University), and it would be fun to try and hop on them. ;-)