If the router is vulnerable, this script uses reaver and pixiewps to retrieve the AP password in, at least, 9 seconds. YUP! You get the WPA password of any vulnerable AP in 9 seconds using the fastest configuration.
It enumerates all the APs with active WPS, tries to get the PKE, PKR, E-NONCE, R-NONCE, AUTHKEY, HASH1 and 2 using the patched version of reaver, then passes all that information to pixiewps program so that it can retrieve the WPS pin, and finally runs reaver again with the pin that pixiewps found to get the AP WPA password.
Please report any bugs to firstname.lastname@example.org || Twitter: https://twitter.com/jgilhutton || Demonstration: