As you know, by hacking WPS we can get the networks PSK but my question is that does WPS exactly transfers PSK when connection established?
If so, Why does it need to send PSK? I mean, if the session is started successfully, why AP should send PSK too?
The WPS PIN doesn't provide enough security to be used in place of the PSK. As designed, the PIN provides about 23 bits of security, about the same as a four-alphanumeric password*. The security comes entirely from the fact that WPS is immune to offline attacks, requiring the attacker to make guesses no faster than the AP being attacked will allow.
Essentially, how WPS works is that the AP and computer negotiate an encrypted but not authenticated channel, the computer and AP each perform some math to prove possession of the PIN (note that neither side ever sends the PIN over the encrypted channel), and the AP then sends the PSK and other configuration details to the computer. Since the PIN is never transmitted, the only possible attack is to repeatedly attempt to prove to the AP that you know the PIN.
If you use the PIN in place of the PSK for traffic security, offline attacks become possible because data derived from the PIN is being transmitted, and an attacker who can record the encrypted traffic can recover the PIN in a matter of seconds by checking to see which PIN would produce the derived traffic.
* As implemented, the WPS PIN provides about 13 bits of security, similar to a two-alphanumeric password.
