I'm somewhat obsessively auditing all the Wi-Fi networks I administer (around 5), trying to crack into them with the methods available. They all run WPA2/CCMP.

I've run all the handshakes through the usual wordlists successfully (darkc0de, Church of Wifi, numeric, etc.)

WPS is disabled, but the passphrases certainly aren't as complex as they could be. They're not dictionary words or common variations of them, but they're not random symbols 20 characters long either.

How would you continue the attack when the easy methods have failed? Does WPA cracking really just boil down to the quality of the wordlist?