That highly depend on the target:
- discover how many CLIENTs are associated to this NETWORK - is one of them weak (transmit PSK in the clear)
- get information about target AP (check IE TAGs of BEACON or PROBE RESPONSE - maybe serial number is present)
- reverse engineer firmware of the router
- run hashcat a9 attack on MAC and ESSID
- do md5sum/sha1sum on MAC or part of MAC or on serial number or part of the serial number and try result as PSK
- do md5sum/sha1sum on MAC or part of MAC or on serial number or part of the serial number and convert it by a translation table and use it as PSK
-do the same as mentiuone above but on a combination of the MAC and the serial number
- check for a pattern and run hashcat's MASK attack
- run (cleaned) word list & rule
- discover how many CLIENTs are associated to this NETWORK - is one of them weak (transmit PSK in the clear)
- get information about target AP (check IE TAGs of BEACON or PROBE RESPONSE - maybe serial number is present)
- reverse engineer firmware of the router
- run hashcat a9 attack on MAC and ESSID
- do md5sum/sha1sum on MAC or part of MAC or on serial number or part of the serial number and try result as PSK
- do md5sum/sha1sum on MAC or part of MAC or on serial number or part of the serial number and convert it by a translation table and use it as PSK
-do the same as mentiuone above but on a combination of the MAC and the serial number
- check for a pattern and run hashcat's MASK attack
- run (cleaned) word list & rule