[windexh8er]

Why not? A WPA handshake can be considered public information. Connecting to that particular ESSID yields all that's needed to brute force WPA and would be considered external. There's no limitations this presents to pen testers. However, for $17 this is a relatively small dictionary set. Based on what we use for real world pen testing we have just shy of 1 billion unique words / phrases.

[peterwwillis]

Technically it's public but you need to be responsible with how you deal with your client's data. Even if the NDA says nothing about releasing handshake details, you still have to explain to your client why a WPA-cracking website has details about their infrastructure.

I agree the convenience is attractive but I wouldn't want to put myself in that position.

[windexh8er]

Interesting thought, but the reality of the situation is quite different. If something is in the public domain (i.e. something you can see, hear or smell) what provisions within the realm of the law protect you from using that sensory data? A company's parking lot may have provisions for me not entering it (i.e guard, fence, etc), but if I perch myself on a parking ramp across the street and use a camera with a powerful lens I can still take pictures of cars and people within the lot.

The same is true for radio, and conversely 802.11. If you expose yourself to data leakage via loud APs / incorrect antenna then it should be well understood that that information is being placed in the public domain (i.e. WPA handshake). A would be malicious user is not bound by any of the restrictions mentioned, and so placing them on people that are knowingly auditing is highly counterproductive unless all the client is going for is a warm fuzzy. This particular way of thinking about pen testing and assessments needs to be at the forefront of the testing itself, because if the client is that misinformed/misled they probably need more help than an incorrectly scoped assessment.