I think what you are asking how to do is a clientless wep attack, nothing special there and quiet possible just search it, alternatively you may search wep fragmentation attack or wep chop chop attack.
As for a method of cracking wpa that YOU could execute, I'm afraid you have to have a four-way EAPOL handshake, no if or buts about it, the two methods of acquiring one are.
1. Let airodump listen to the ap and wait for a client to connect.
2. Deauthenticate a connected client and capture the handshake.