The PH is clear about what counts as an attack:
If there’s ever any question whether something you’re doing counts as an attack, the rule is simple: if you’re making an attack roll, you’re making an attack
However, it’s a general principle, and we know that specific beats general. Are there any specific cases in 5e when you actually performing an attack (that will trigger any “when you hit with an attack” feature) without making an attack roll?
Grapple and Shove doesn’t count — they do not count as a hit, so technically they are not “attacks”, despite they are called “special melee attacks” in the PH.
Related: What does upper-case-A-Attack action vs. lower-case-a-attack mean?
An eldritch knight wants to attack a guard behind a wall. Before, he casts scrying and thus can see the target and where they are behind the wall.
How this should be resolved?
Is he unable to attack through the wall? Or it depends on the material of the wall? Or it counts as attacking a location? How should advantage/disadvantage be applied to this?
I really want this to work because having a knight in full plated armor greet the enemy through the wall with a giant axe seem awesome, but my DM insists on giving me ruling support.
So the UA specialist for the Artificer, the Armorer, has an interesting ability for one of the models you can take.
Thunder Gauntlets. Your armored fists each count as a simple melee weapon, and each deals 1d8 thunder damage on a hit. A creature hit by the gauntlet has disadvantage on attack rolls against targets other than you until the start of your next turn, as the armor magically emits a distracting pulse when the creature attacks someone else.
Should you end up with a cantrip like Booming Blade through some means, could you use Thunder Gauntlets to perform it? Would you then get the unique effect of Thunder Gauntlet alongside the normal effects of such a cantrip?
This question is prompted by reading this answer to a question about using the Polearm Master feat’s bonus action after a Shove and halbard Attack
In the section “Making an Attack” (PHB, page 194):
If there’s ever any question whether something you’re doing counts as an attack, the rule is simple: if you’re making an attack roll, you’re making an attack.
Shoving does not require an attack role but rather a contested Athletics check.
Under “Shoving a Creature” (PHB, 195)
Using the Attack action, you can make a special melee attack to shove a creature, either to knock it prone or push it away from you. […] You make a Strength (Athletics) check contested by the target’s Strength (Athletics) or Dexterity (Acrobatics)check (the target chooses the ability to use).
The text specifically says Shove is a “special melee attack”
Is this a case of “specific beats general” where the specific wording of Shove makes it an attack even though the general definition of an attack is different? Alternatively is the wording of shove just using common language or is it intended to mean something different?
I’m using airgeddon (
https://github.com/v1s1t0r1sh3r3/airgeddon) to perform a deauthentication attack on my wifi network.
When i put my wireless interface in monitor mode to scan the network from the outside I found the router’s BSSID, which is
10:13:31:F1:48:8D, and then I tried to perform various deauthentication attacks on the network but all of them failed: my computer can successfully send packets but the network is not affected (since my other devices can access internet normally).
Then I ran Zenmap from inside of the network to check if my router’s BSSID was correct and I found that all the devices connected to wifi shown a different BSSID for the router, which is:
10:13:31:F1:48:8C: the difference is in the last digit.
So I tried to perform the attack on the
8C BSSID manually (because it is not detected by airodump-ng) but the attack fails.
This is what I used for the attack:
aireplay-ng -0 0 -a 10:13:31:F1:48:8C wlp3s0mon
and the result is:
00:03:55 Waiting for beacon frame(BSSID 10:13:31:F1:48:8C) on channel 1 00:04:05 No such BSSID available.
using the channel 1 for the attack (the same attack works with
8D and channel set on 1).
There’s a way to perform the attack on the correct BSSID?
As the title states, I have a question about how the rules handle using the Extra Attack class feature to make two separate attacks with a two-handed weapon and a thrown weapon.
PHB Errata. Two-Handed (p. 147). This property is relevant only when you attack with the weapon, not when you simply hold it.
PHB Page 190. You can also interact with one object or feature of the environment for free, during either your move or your action. For example, you could open a door during your move as you stride toward a foe, or you could draw your weapon as part of the same action you use to attack.
Not official rule, but this developer Tweet says:
@DnDMontreal [Apr 4, 2015]:
@JeremyECrawford what are the rules on dropping weapons? People are dropping weapons to circumvent only having one ‘Interaction with Object’
@JeremyECrawford [3:20 PM · Apr 4, 2015]:
@DnDMontreal The intent is that letting go of something requires no appreciable effort. But picking it up does.
So, my question is, can I perform this sequence of events during my turn?
- Start turn with Halberd in both hands
- Let go of Halberd with one hand (either letting the pole arm hang mid-air in one hand, or propping it up with the butt-end on the ground) using “free action”
- Draw Javelin from storage, throw said Javelin at one target out of melee range
- Replace second hand onto halberd to attack second target that IS within melee range
- Use Bonus Action to do whatever I want (including possibly butt-end attack with Halberd from Polearm Master feat)
This comes up as a result of looking at a handful of other questions, and finding them all not quite capturing my own question:
- Holding a longbow (or other 2H weapon) and attacking with a shortsword (or other 1H weapon)?
- This question is only concerned about using one weapon while holding the other and has nothing to do with multiple attacks as main action. It also served as a good baseline for formatting my question 🙂
- Can you draw and or throw a javelin on one or more successive turns while still using a 2-handed weapon for opportunity attacks?
- This question focuses on the reactions you can make with a polearm, which are also relevant options my character would want to have available. It has the parts of shifting weapon to one hand and back to two hands, but nothing of multiple attacks.
- Can you drop one hand from a two-handed weapon to draw and use a single-handed weapon next turn?
- This is only one small part of my question. It is also how I found the Sage Advice.
- Can you attack with more than one weapon when using Extra Attack?
- This answered part of my question as well. I especially love the example given in Dale M’s answer
- Can you attack with different weapons using Extra Attack?
- Finally this question also answered part of my question as well.
I apologize for the wall of text, but based on this research, my reading is that the above scenario is allowed per RAW (and a little RAI doesn’t hurt my case). I just want confirmation from the larger community to make sure that I got it right for when I present it to my DM and fellow players.
I am playing a warlock in my current campaign and I selected earthen grasp for one of the invocations. Earthen grasp comes with its own base attack bonus:
Treat the arm as a Medium creature, with a base attack bonus equal to your caster level and a Strength of 14 +2 per three caster levels (16 at 3rd level, 18 at 6th level, and so on).
Looking at this, it doesn’t seem to require any sort of roll since the strength bonus is always pre-determined. In that case, what would I need to roll in order to summon/cast an earthen grasp?
I’m currently working on understanding and contemplating to implement password strength validation for sign ups in my app, to include checking haveibeenpwned if entered password is compromised elsewhere.
I understand the process involves the site sending a partial hash of the password to HIBP and HIBP will respond whether it’s pwned.
I am also assuming that it is possible that HIBP stores logs of my API request and that it may contain information leading back to my app.
If HIBP gets hacked, and attacker gains access to the above hypothetical logs, assuming that it contains all the information in the original request – the partial hash and where it came from (my site), can the attacker construct an attack on my site is this way?
- Hash the passwords in the list of pwned password and get a list of hashes
- Match the partial hash he has with those in the above list and derive a refined dictionary of N number of possible passwords with same partial hash
- Try the passwords on my site
I am aware at every point in the above, measures can be put in place to mitigate each, e.g. 2FA. But it is not my objective to ask for how to secure my sign up, but to validate my concerns with using HIBP and whether there’s an attack vector to be considered.
PS: I’m not a security expert but I do know how passwords and hashes work. As HIBP is new to me, I don’t fully know how it works and all the features of its API. Pardon me if I made wrong assumptions.
I know from a well voted for answer in Is a Wild Shape attack considered an unarmed strike? that it is possible for a druid to make an unarmed strike while wildshaped, just instead of the beast’s normal damage you would deal 1+STR (or otherwise for a monk or druid with Tavern Brawler), but what would the attack modifier be? A character is proficient in their unarmed strikes, so would they use proficiency bonus + strength modifier? Or would it just be straight strength modifier because they have no proficiency bonus, as their game statistics were replaced by the beast’s?
I have read these posts: https://www.cnet.com/news/fraudulent-google-certificate-points-to-internet-attack/
As far as I know, a certificate should be installed on a server.
So I don’t quite understand how issuing a fraudulent certificate for *.google.com (the spelling of the common name is correct – it is not phishing) could trigger these browser warnings without installing it on a server.
I understand that a private key is in their hands but how did they manage to throw this certificate from the official Google website to users?
Did they install it on a Gmail server?
Could you explain, please?