I am a noob too but i think bruteforce wont be the best way..
you could try this way: (but it will be a bad way too, it is just an idea i've never tried before)
-Kill the true AP with MDK3
-create a fake AP with the same BSSID and a fake WPA encryption (i dont remember if the fake encryption is possible)
-route the traffic through this new connection (victims will have an internet access)
-create a fake Router Home page (you must know the brand and model of this one) or a Provider home page and start it on the apache server
-dns spoofing and sniffing with ettercap to grab login and password to try to enter the router and read the wpa key
Second idea: (a remote keylogging)
create a trojan with the metasploit meterpreter and link it with a document or a file (where you ask the victim to go in the router and retype its security parameters or its wpa key). Send it to your victim. Start a keylogging to grab the wpa key....
with my two methods you will have 2 chances on 1 million to grab the wpa key but i really think "social engineering" will be easier.