In The Wild
Kernelcon WiFi Fox & Hound
Fox Hunting in the Wild
Wigle Mapper to find vulnerable access points within the city. Search by MAC address for vulnerable chipsets (e.g. Pixie Dust)
RouterSploit. Most routers run embedded Linux. Get CLI & root access.
Search the Exploit Databases for more exploits:
Most routers have their firmware publicily available online. Extract & examine with BinWalk and modify with Firmware Mod Kit: