As asked in this question, there is a program called Dumpper. it can find PIN of AP without brute forcing them.
But with another tool called Jumpstart, together they can crack any AP that is running WPS feature.
It laterally bring the PSK of WPA2 within seconds "depending on signal strength".
I've read a lot about WPS flaws and other security issues, but I still don't know what exactly those two applications are doing.
How they can bring the PSK in such speed "not using any brute force"?
As the other question's answer said, Dumpper looks like it identifies the AP via its MAC address or other information exposed over the 802.11 protocol, then checks a database to work out if the default WPS key / seed generation algorithm is known. This is limited to APs whose firmware images have been reverse engineered and analysed.
Jumpstart just cracks the WPS pin by trying all of the possible combinations. This is much faster than trying to crack the WPA2 key itself. This isn't always possible, though, as many modern APs have WPS implementations with lockout periods to prevent bruteforcing.
