as karma attacks works on saved open networks only and not secured ones so we will need to have the password first to get it work although this seems a bit hard... the number of saved networks Guarantee that there is a one with a weak password... so will need to make the karma attack start two networks of the targeted prob one open and the second secured and the victim will auto connect to the one with the correct configuration with the saved obviously correct password and we save that handshake with the other handshakes captured form the same device to brute force and break the ones with the weak passwords.