How to find a pipe address using nRF24L01(+) 2.4GHz Wireless Transceiver

I'm trying to figure out if there is an efficient way of figuring out a pipe address of an rf24 radio. In order for two radios to communicate, they have to be on the same channel and have the same read and write pipe addresses.

The only approach I can think of now is by using brute force, the easiest way to eliminate the number of searches is to know at least the radio channel--I think that's the easy part. In theory (I guess), I could set my "searching" radio to the correct channel, the set it to only "listen", and then try one address after another. But that's inefficient, since the address can be any 40-bit hex value. So there are 2^40 possible keys--I don't want to spend 2 weeks at a time trying to find "listen" address.

Is there a better way? Is there maybe a way to send a signal to a channel and get all pipe addresses available on that channel? Basically anything but my method.

Edit 1:

I wonder if there is a way to modify a scanner like this one: https://github.com/TMRh20/RF24/blob/master/examples/scanner/scanner.ino so that it captures all of the "visible" packets for a given channel, and then find out the address. According to nRF24L01(+) specifications "packet contains a preamble, address, packet control, payload and CRC field". This would narrow down the number of possible addresses to very few.