Oh ok I didn't explain myself properly. Everyone knows about WPS and reaver and so on. Most routers have adopted countermeasures against it now.
But there is another method to establish a WPA connection (or more precisely get the WPA configuration) with help of the WPS standard. For that you don't even need a PIN, but physical access and press a button (or so they say). Then you can retrieve the password with any one device within 2min after pressing the button. This method is therefore completely open and unsecured. The only security lies in the timeframe of usually 2 min in which the device will reveal the WPA password to anyone asking for it and also that it is only intended for one device to ask for it.
While this is not an active attack it should be an easy passive attack and in comparison to the WPS pin or WPA brute force cracking it has a 100% guarantee of working (of course since it's passive there needs to be attackee action and therefore it's not guaranteed to happen). It's even hard to call it an attack. Although I envision it to clearly be one by having a tool running continuously until any device in range has its button pressed and offers to reveal the password to anyone.
This is where you just gave me an idea about sniffing might be feasible as well. While the router is supposed to tell if there are more than one station asking for the password it should still tell the password to multiple devices and usually flashes in a different way when doing so. But who in world knows and notices? Besides if you could actually sniff the key exchange through the WPS push button method, maybe you can stay completely passive and get it through the packet capture of that exchange.
Here's where I couldn't even find a proper description of how the protocol works - I don't know the encryption used for that exchange. And to be really elegant I also wonder if a WPS station advertises their button pressed OTA. That would be crazy insecure. As far as I have found it doesn't do so - no tool can show this state. So you'd have to actively probe for stations. Every 30s should be enough to account for transmission errors within the 2min timeframe and shouldn'T overload the air. IT would however, be practically undetectable since it's layer 2 stuff.