A few myths about WPA-PSK:
* "WPA-PSK rainbow tables" are not rainbow tables they are lists of hashes for given passwords and SSIDs.
* You never have a hash of the password. The hash of the password is just as good as having the password itself. Since you have two choices a password of 8 to 63 letters or 64 hex digits (the hash).
* When you sniff a successful authentication whether from frame injection (deauth-ing) or just waiting you get 2 mac addresses, 2 nonces (salts), "eapolframe" the message, and "keymic" (hmac of message with a key of part of the PTK). You then take a password and generate the PMK (that hash). Use the 2 mac addresses, 2 nonces, and the PMK to generate the PTK. Then hmac of message with a key of part of the PTK and finally compare it to the "keymic."
I don't think "WPA-PSK rainbow tables" are rainbow tables since I don't think it's possible. I tried to download a "rainbow table" for wpa-psk but the files were all blank and named ".hash" so I couldn't tell what these files are. I think the file format of ".hash" is just a list of hashes for passwords and I'm not going to download 33 GiB just to see what one of the files looks like. If you don't believe me or just want proof you'll need to have the 33 GiB of tables and post one of the files name and the first 1 KiB in hex.
If you were just trying to crack a hash you would attack the first 160 bit of the 256 bit hash so you can go 2 times faster since the first 160 bits is calculated separately from the last 96 bits, but both aircrack and cowpatty generate the full 256 bits.
http://www.wi-fiplanet.com/tutorials/ar ... hp/3667586
This is a rough estimate you can probably get 5,800 to 4,800 on a Core2 Quad 3.0 GHz.