If you capture enough packets(IV initialization vectors), about 100000, from the network, you can crack the password with statistical methods. You can also add packet injection (ARP packets) to capture the 100,000 IV packets faster.
WPA2
When a client (cell phone, laptop, roku) auto connects to a known WPA2 network, the password hash is exchanged during 4 way handshake. If you can capture the handshake/hash, you can crack it offline against a wordfile. Instead of waiting around for a client to connect, you can disconnect an already connected client with a DEAUTH packet, and the client will automatically reconnect with a fresh handshake. Some chipsets reveal their PSK without clients connected (PMKID attack)
WPS
8 digit PIN, used as an alternative to the passphrase. It can be brute forced, or certain chipsets & firmwares have exploits that reveal the PIN (PixieDust)
Rainbow Tables
Hashed pre-shared key is a created using the ESSID as one of the inputs. If you want to create a database of wordlist that has been prehashed, you have to include the target ESSID in the hashing process. Useful for common/default ESSID names (NETGEAR, XyTel, etc).