Oh, also if you are running Ubuntu (it may exist in other distros) you may want to be aware of the "notify-send" command. http://manpages.ubuntu.com/manpages/hardy/man1/notify-send.1.html
Uses reaver and finds vulnerable local wifi networks then lists them out and you can pick which one based on the bssid. Type in the BSSID of the target and it takes care of the rest. Not exactly quick if your computer is ass, but if you use a cloud server to speed it up/have time to sit outside someone's house you're fine. Also it saves any previously tried pins so that's a plus if you need to get out quick.
Sounds like a challenge. I'm in =P and yeah notify-send looks like a great tool but Ubuntu is a struggle (it's so baby-like)! I prefer Debian-Based rather than whatever the hell they turned Ubuntu in to code-wise.
Reaver has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations.
On average Reaver will recover the target AP's plain text WPA/WPA2 passphrase in 4-10 hours, depending on the AP. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase.
It should work fine on Debian as I wrote it using Kali Linux (Debian-based).
Link - http://pastebin.com/WRTi2PYq
This is probably dated as it's the last version I emailed to myself before my HDD crashed, so as you can see in the code very few things were implemented (ToRChains being the primary one).
If the selection part doesn't work, copy the code starting at ' echo "killing..." to ' echo "Enjoy...".
Will it automatically slow down for access points that implement brute-force protection? Most new access points don't allow WPS to be brute-forced. There's something like 3 attempts per minute max on my access point, and it will then lock any further attempts for 5 minutes. Meaning it will need to run for about 4 days (2 attempts per minute) in order to go through all 11 000 combinations.
Yeah, the only problem is that newer routers can detect multiple attempts and lock. Ap Rate Limiting is also a problem and I believe there is a perameter to change how many times/minute you can attack. I just realized that my script is missing another one called infodump.sh which ran "wash" and output to a file which the main script would then check for in order to see any open routers. Script is not there though so if you want to write it yourself feel free, but if not i'll get on it soon.
Edit: Found this command you can substitute in the script properly if you know bash