To Paulnewman
Outside of brute forcing a handshake or wpa phishing there are three(3) possibilities. Chances of success are SMALL, may not be immediate and these attacks may not work at all!
Method One
Some routers when subject to small amounts of DDOS release WPS pins even though the WPS system is locked. You can test this vulnerability by using one of the VMR-MDK variants.
Method Two
Some routers reset their WPS pins to 12345670 and become open to WPS pin collection for short periods of time. You can run reaver or bully with the pin 12345670 in the command line and constantly attack the router a for long period of time(ie weeks). Better just run up varmacscan when your computer is idle and you may get lucky.
Method Three
Some routers reset after being subjected to heavy DDOSing. Mteams has not had much success with Method Three.