Musket Teams have ONLY come across Wifi Routers that lock up after 10 pin request regardless of the mac address requesting the pins. We began aggressively locking the WPS systems of all Wifi Routers in range by requesting pins till the router locked every time these routers showed an open state. To our surprise one of the routers' key completion jumped to 91% after a few pin request cycles(ie 10 pins per cycle). This of course would allow even WPS Locked Routers to be hacked given time and patience. The rule then is to request pins anytime they are available. We do not wish to note the first six digits of this routers mac address for fear software engineers who might read this will quickly correct the flaw.
We have had reports but have never seen Wifi Routers whose WPS locking is related to the MAC code addresses requesting the pins. In other words, if the same mac code address requests X number of pins the router locks. However random mac addesses requesting pins do not lock the router. Anyone finding a router reacting like this should download Musket Team’s varmacreaver.sh. You can find the link to the varmacreaver.sh download in these forums. This tool was originally designed for exactly this WPS locking feature however we could never find a router that locked due to repeated pin requests from a single mac address only while ignoring request from random mac addresses. Varmacreaver.sh can be set up to constantly change the mac address after every pin request.
We have cracked WPS locked routers the traditional way or by brute forcing the handshake. Anytime we do this we expend some effort trying to break the routers' username-password with hydra or brutus.
We have had equal success by doing a man in the middle attack with Cain/XP or ettercap. We use Netcut/XP to shut down the ability of the user-client to access the internet. Invariably the user logs onto the router while the MITM is in progress and we get their password and username thru Cain. Just have patience. You can also intermittently disrupt their system with mdk3 or again Netcut anything that might cause the user to turn to the router and access it. Using Ettercap you can try and automate this with http://forum.aircrack-ng.org/index.php/topic,401.0.html.
Once you have access to the router go into the firmware pages and obtain the WPS key by reading the firmware page. Like in magic you now have their secret name. Users rarely change the WPS Key just the WPA password. And even a temporarily open WPS locked Router can be cracked in less then 10 pin requests if you have their WPS Key. So even if they change the WPA key you are back in within a few days as you have their secret name.
Reseting the router is not covered here as it is being explored in a blog led by Soxrox2212.
