dnd 5e – Do I have to attack to use Extra Attack?

Yes, you need to attack to take advantage of Extra Attack

The fighter’s Extra Attack feature says:

Beginning at 5th level, you can attack twice, instead of once, whenever you take the Attack action on your turn.

As stated, you need to take the Attack action, using up your one available action for that turn, but now you can attack twice within that action.

You cannot take any other action (Disengage, Cast a Spell, etc.) and then swing a weapon as well as part of the same action, unless specific rules explicitly state otherwise.

web application – Watering hole Website NTLM Steal Attack

Im trying to recreate a Watering hole SMB theft attack
Where you send a victim a link to your website containing code like “file://ip/file.gif”
Causing Forced Authentication which passes the NTLM hash
I have the code which execute the process (check reference links)

But how can i retrieve/steal the NTLM hash back over the internet remotely without being on local network?

This process can be done locally very easily but im struggling with finding an NTLM listener to use over the internet remotely on a website


Newly Discovered Watering Hole Attack Targets Ukrainian, Canadian Organizations


statistics – How can I calculate expected Stunt Points per attack when FIRST dropping a d6?

Here’s a tweaked version of the function from my earlier answer that should work for any number (≥ 2) of ordinary dice, with the player choosing two of them:

function: stunt points for DICE:s and STUNT_DIE:n vs TARGET:n {
  if {1,2}@DICE + STUNT_DIE < TARGET { result: 0 }   miss 

   it's a hit; can we choose a pair that will give us stunts? 
  if 1@DICE = STUNT_DIE { result: STUNT_DIE }
  if DICE = STUNT_DIE & 1@DICE + 2 * STUNT_DIE >= TARGET { result: STUNT_DIE }
  loop I over {1..#DICE-1} {
    if I@DICE = (I+1)@DICE & 2 * I@DICE + STUNT_DIE >= TARGET { result: STUNT_DIE }

  result: 0   hit but no pair 

The first line in the function (checking if the roll is a miss) is the same as in my old code, except that I’m explicitly summing only the highest two ordinary dice rolled using {1,2}@DICE: if those plus the stunt die don’t meet the target, then no combination will. Conversely, if they do, then we’ll at least get a hit, but we might or might not get any stunts.

(Replacing the result: 0 on the first line with result: d{} will make the code calculate the distribution of stunt points conditioned on the roll being a successful hit, i.e. as if all misses were rerolled until they hit. You could also change this line to e.g. return -1 to distinguish misses from hits with no stunts.)

Next, I’m checking if the player might be able to choose two dice out of however many they rolled that will given them a hit with stunts. Here, there are three possibilities, which the code checks for in this order:

  1. If the highest ordinary die matches the stunt die, then simply choosing the highest two ordinary dice will give a hit with stunts. (We know it will, because we just checked that at the start of the function.)

  2. Otherwise, if any ordinary die matches the stunt die and if that die plus the stunt die plus the highest roll will meet the target, then the player can choose those and get stunts.

    (In the code, DICE = STUNT_DIE compares a sequence with a number, returning true if any value in the sequence matches the number. We don’t actually need to know the index of the matching die in the sequence, if any, since we know its value anyway — it’s equal to the stunt die!)

  3. Finally, we loop over the dice and check if any two consecutive dice in the (automatically sorted) sequence have the same value, and if so, whether that value twice plus the stunt die is enough for a hit. If so, the player can choose that pair and get stunts.

    (Since we know the sequence is sorted in descending order, and since this is the last possibility checked for, we could actually abort the loop early and return 0 from the function as soon as we find that 2 * I@DICE + STUNT_DIE < TARGET, as no smaller pair can possibly give a hit either. Implementing that minor optimization is left as an exercise for the reader. 🙂

Finally, if none of those checks succeeds, the function returns 0 indicating that the player could not get any stunts but still rolled a successful hit (choosing e.g. their top two ordinary dice plus the stunt die).

When called with 2d6 as DICE, this function is a drop-in replacement for the one in my earlier answer, and indeed gives the same results.

What about for more dice? As we can see, as the number of dice to choose from increases, the probability of getting stunts increases.

AnyDice screenshot

In general, higher stunt counts are more likely than lower ones, which makes intuitive sense: the higher you roll on the stunt die, the more likely you are to hit and to be able to choose a hitting combo that includes two identical dice. However, the specific shape of the curve varies depending on the target difficulty: DC 10 above, for example, gives fairly smooth looking plots, but DC 11 seems to favor odd numbers of stunts, leading to a more staircase-like graph:

AnyDice screenshot

Notably, for five or more normal dice and DC 11, the probability of getting a hit with stunts is actually slightly lower if you roll a 4 on the stunt die than if you roll a 3. (Of course you still get more stunts if you do get any, and your overall hit probability is higher too, so a higher roll on the stunt die is still better.)

disk encryption – Security against local attack for remote FDE decryption?

Is there any remote FDE decryption that is resistant to an attacker that has local physical access?

Tools like dracut-sshd need to store the private key used for the sshd server on the unencrypted boot partition, so a local attacker has the ability to become a MITM and sniff the decryption password.

Can using a TPM to protect the sshd key foil this attack?

Does clevis-tang have essentially the same problem? At the bottom of the tang README.md is this list of security considerations:

  1. Man-in-the-Middle
  2. Compromise the client to gain access to cJWK
  3. Compromise the server to gain access to sJWK's private key

Problem (1) is not a concern according to this document. I assume you avoid problem (3) by running the tang server on a FDE itself or storing the key on a HSM. Problem (2) sounds impossible to protect against if the attacker is local – is that correct?

The tang documentation stresses that the…

client protect cJWK from prying eyes. This may include device
permissions, filesystem permissions, security frameworks (such as
SELinux) or even the use of hardware encryption such as a TPM

Is the TPM option the only way to foil an attacker with physical access to the unencrypted boot partition?

Is there any work-around that allows remote unattended FDE decryption that a local attacker cannot compromise?

dnd 5e – If I get access to a spell attack that’s NOT part of a spell, can I use it when I take the Attack action?

Some creatures have entries in their stat block that are classified as ‘melee spell attack’, or ‘ranged spell attack’, without actually being tied to the casting of a spell. Some PC subclasses also get some of those, notably the Way of the Sun Soul and the Circle of Stars, but they are framed in such a way that still leaves no doubt as to when you can use it (with the Attack action, for the Monk, and as a bonus action on your turn, for the Druid). So let’s say I get access to the former, monster-like spell attacks.

  1. Can I use it when I take the Attack action?
  2. If not, is the reason that they are listed as ‘Actions’ on the creature’s stat block? So just like I can only use the Circle of Stars Archer feature as a bonus action, this would leave me with an Action and not a general combat option. It’s probably this, but I still need clarification about point 3.
  3. The rules for the Attack action state: “With this action, you make one melee or ranged Attack”. Nowhere here it says ‘weapon attack’. So even if the only attack option for a PC still is given by holding a weapon or having the possibility to make an unarmed strike, would this allow me to make a spell attack as a part of it if such an option were available to me outside of explicitly permittive wordings (as I said, I understand that casting a spell is its own thing, using a feature like the Archer form is its own thing, etc.).

I hope I made my question clear.

Why can’t we perform a replay attack on wifi networks

I was wondering that when a hacker is trying to hack a wifi network he would try to capture a handshake and then try to decrypt it,whereas when you wanna login to your wifi you would type in your password and the password would be encrypted then sent to the router which would decrypt it using a key.
So why can’t we just resend the encrypted password(the handshake) to the router without having to decrypt it like a replay attack.

A library required which generates dictionary attack passwords (for testing my theory)

I have calculated that 15 characters long password will take more than 8000 years to crack by the most powerful supercomputer available today.

My theory is that – Even if passwords are simple and easy to remember but if they are atleast 15 characters long, then these passwords are unbreakable.

So, according to me a simple but long password like – “iloveunitedstates” is an unbreakable password.

But someone pointed out that using dictionary attack, this password can be hacked easily.

But I am not convinced that this password can be broken.

So, I wanted to test it myself. So, is there a library or tool that generates dictionary attack passwords, so that I can use it to see if the password “iloveunitedstates” is crackable or not.

Please let me know if there is such a library or tool.

XSS attack being blocked by the browser

I’m trying to validate / test and XSS attack; however when I navigate to the page, the browser (tried on Chrome and Edge) tells me:

A parser-blocking, cross site (i.e. different eTLD+1) script,
is invoked via document.write. The network
request for this script MAY be blocked by the browser in this or a
future page load due to poor network connectivity. If blocked in this
page load, it will be confirmed in a subsequent console message. See
https://www.chromestatus.com/feature/5718547946799104 for more

I visited the reference page, but it’s not very clear on exactly what is happening. Is there a way to turn this off so that I can validate the XSS attack?