Errata

"For a hacker to be successful, a few conditions need to take place. The most obvious is that the hacker must be able to receive the wireless signal from the access point."
Not true (I think that this was discovered long after the book was published)

Only half of a valid EAPOL handshake is required to begin cracking the password. To crack the PSK for an AP positioned deep inside a facility (far out of range) an attacker can create a rogue WPA access point with the same ESSID and any random PSK (using something like hostapd). The attacker can then wait for a user of the legitimate AP to exit the building and when the device gets within range of the attacker, it will try to connect automatically, whereby the attacker will sniff the half valid handshake with a separate monitor interface. The device will obviously fail to authenticate but the damage is already done.

This removes the AP from the equation entirely. Here is the PoC (not mine)
https://github.com/dxa4481/WPA2-HalfHandshake-Crack

"For a hacker to be successful, a few conditions need to take place. The most obvious is that the hacker must be able to receive the wireless signal from the access point."
Not true (I think that this was discovered long after the book was published)

Only half of a valid EAPOL handshake is required to begin cracking the password. To crack the PSK for an AP positioned deep inside a facility (far out of range) an attacker can create a rogue WPA access point with the same ESSID and any random PSK (using something like hostapd). The attacker can then wait for a user of the legitimate AP to exit the building and when the device gets within range of the attacker, it will try to connect automatically, whereby the attacker will sniff the half valid handshake with a separate monitor interface. The device will obviously fail to authenticate but the damage is already done.

This removes the AP from the equation entirely. Here is the PoC (not mine)
https://github.com/dxa4481/WPA2-HalfHandshake-Crack