[gipsies]

A bruteforce attack against the PSK handshake requires only a single handshake to be captured. There are no known techniques to speed up the attack if more handshakes are captured.

Man-in-the-middle attacks against WPA are not trivial at all. The client and access point perform mutual authentication. If you don't know the password, you can't put up an identical rogue access point. The passphrase is never explicitly included in the handshake, only in "protected" forms (in challenge/response messages).

[drinkyouroj]

Ah, you're right about only needing a single handshake. I don't make a habit of "security testing" wifi networks, but with WEP I seem to remember something about increasing the odds of your cracked key being correct based on the number of packets at your disposal. Anyway, I looked a little deeper and that's certainly not the case with WPA.

I didn't mean to imply that MitM is trivial, just that it's quicker than brute-force in many cases. And, I assumed the rogue AP was not doing true WPA encryption like the real AP, just enough to make it appear correct to get clients to connect so you can serve the fake control panel. If you need the passphrase to stand up the rogue AP, what is the point of this attack? You're not phishing for anything but the WPA key.

EDIT: just read your comment about how this actually works (that is, the "rogue" AP is just another unencrypted network.) That's actually really lame, and I withdraw my previous praise for this crack. ;)