There are a few apps that do password guessing and have default password lists.
Many phones have promiscuous mode (you can sniff the network you are connected to) but not monitor mode (sniff any data). If you chroot into Ubuntu/Debian you can put it into promisc and start sniffing.
The only mobile wifi chipset that I know with monitor mode is the wl1521 which is in the N900, the G1/HTC Dream, and the G2/HTC Desire Z. The N900 is easy to get into monitor mode- load kernel module, done. The G1 requires some kernel patching that breaks wifi for kernel version above 6.29 (Donut or Eclair I think) but there's some Froyo kernel that uses 2.6.29 and blah blah blah really annoying crap. The G2 happens to have a stable kernel for Froyo using 2.6.29 and it works with the same patches.
So the N900 is expensive because it has real development, especially in the security area, and the G1 and G2 are cheap but have nearly no development. You can spend a few hundred dollars more and not have to screw around with anything.
