Can Minor Illusion be used to replicate non-physical attacks?

Recently as a player my party fought against a creature that could paralyze you if you looked at it. Since my rogue has now seen it, would it be possible to replicate this using Minor Illusion by creating a image of the creature, and would it work the same way or be less effective? Could this also be used to replicate the attack the creature used that could kill if you failed the saving throw?

Do opportunity attacks have disadvantage if I use my action to Dodge and then move out of melee range?

I am currently playing a multi-class Cleric 5 / Rogue 2 and at times I have managed to kite melee mobs successfully using my Cunning Action to Disengage, then my movement and then using a ranged attack, which has worked fine for most of the time. Sometimes though I get pounced on by several melee mobs at once (3-5), especially when we face tactical mobs. In this case I have ended up in a loop where they catch up with me each time because I am having to use my Cunning Action to Disengage, instead of Dash.

Sometimes, I just want to get away quite far by using Dash instead, without getting pummeled by the opportunity attacks in the process. I want to get more distance between me and the mobs so they cannot catch up with me in their next move.

Basically, I want to be able to use Dodge as my Action so that when I move out of melee range from the 3-5 mobs there is less of a chance the mobs will hit me in the process, with 3-5 opportunity attacks. We’ve not tried this in our campaign yet, so I want some confirmation about how this works and whether the 3-5 melee mobs who are right next to me would get disadvantage on their opportunity attacks as I try to dash off?

I especially appreciate answers that contain play-tested experience from DMs who have managed this situation or players who have actually played as a Rogue.

With Form Of A Beast, if you use Strength Of A Bear, what damage do your attacks do?

The 2D20 Conan spell Form Of A Beast says that you “gain a Natural attack of 4 dice”, but in the various iterations of the spell (such as Strength Of A Bear and Body Of A Wolf), it says you “gain its attacks”, which would appear to do less base damage than 4 dice (if you subtract the bonus the creature gains from its own Brawn).

For example, a Bear’s Bite is listed at doing 6 dice of damage, but presumably this takes into account the Bear’s listed Brawn of 12, which would add 3 of those dice, meaning the base damage of the Bite is actually 3…

So what would the actual damage be when assuming those forms and gaining their attacks (instead of just casting the base form of the spell and getting a natural attack of 4)?

Attacks on EAP-AKA’ protocol (5g)

I’m doing research on authentication protocols and I’m analyzing the EAP-AKA’ protocol described in RFC 5448 that is one of the three protocols adopted in 5G. I would like to know if there are any known attacks to this protocol as I can’t find anything among the common research portals.

Can you break up Eldritch Blast attacks? [duplicate]

EB at higher levels makes multiple beams. Can you choose targets after each beam, move in between them, and use bonus actions as well?

Case in point, level 5 Warlock casts EB. Decides to target Alice first, hits first beam on Alice, and downs her. Warlock then moves 10ft, casts Hex on Bob with a bonus action, and hits second beam on Bob as well. Is this legal?

What’s the highest amount of ranged attacks a pure fighter can make in one turn consistently?

I’ve been working on a 20th level character concept for a while and trying to optimize it for use in a future game, the requirements would be as follows:

  • Only 3.X WotC handbooks (No 3rd party books, no magazines, no online-only content except for web enhancements of handbooks, no adventure-specific content).
  • Only handbooks from the D&D 3E standard setting/Greyhawk (no eberron, faerun, dragonlance, etc).
  • The only base class used must be fighter, any prestige class is ok as long as it doesn’t grant any magical abilities (includes psionics, incarnum, etc), also no martial powers.
  • Optimized for ranged damage output, without relying on allies, consumables, or very low frequency abilities (1/day stuff and the like).

Given that, the concept I’ve got so far is a pure SAD dexterity fighter dual wielding auto-realoading hand-crossbows, boosting damage with feats Dead Eye and Crossbow Sniper, plus specialization and mastery feats. The damage per attack is not too bad (1d4+31), and I’m now looking for ways to increment the number of attacks I could make.

So far I get 4 attacks from BAB, 3 from TWF, 1 from Rapid Shot, and 1 from Haste, for a total of 9 attacks.

I’m specifically looking for methods to increase the number of attacks per full attack action. But I’d also welcome any general advice to improve the build given the previous requirements.

Is this method of 32 char hash generation secure enough for online-based attacks?

A fellow developer and I have been having a discussion about how vulnerable a few different methods of developing a hash are, and I’ve come here to see if smarter people than I (us?) can shed some light.

In PHP, I feel the below is secure ENOUGH to generate as 32 character value that could not be reasonably broken via online attack. There are some other mitigating circumstances (such as in our specific case it would also require the attacker to already have some compromised credentials), but I’d like to just look at the "attackability" of the hash.

str_shuffle(MD5(microtime())) 

The suggested more secure way of generating a 32 character hash is:

bin2hex(random_bytes(16)) 

I acknowledge the first hash generation method is not ABSOLUTELY SECURE, but for an online attack I think being able to guess the microtime (or try a low number of guesses), and know the MD5 was shuffled and/or find a vulnerability in MT which str_shuffle is based on is so low as to make it practically secure.

But I would love to hear why I’m a fool. Seriously.

EDIT — This is being used as a password reset token, and does not have an expiry (although it is cleared once used, and is only set when requested).

Preventing HTTPS Replay Attacks

I’ve read here that HTTPS replay attacks aren’t possible from MITM attacks but I want to be sure that it’s not saying that HTTPS replay attacks aren’t possible at all. I want to know if I have to implement my own obscure method for temporarily preventing the inevitable or if something like this already exists.

Suppose the attacker is the client. They have access to the client and are communicating with the server legitimately, analyzing the traffic. Therefore the attacker has access to the client’s private key (or at least, the ability to replicate its generation). What’s stopping them from just replaying the traffic through a fake client after sniffing the payload before it’s encrypted? That is to say, running it through the client to encrypt it then send it themselves.

My client relies on the hardware information from the system to validate one-user-per-subscription and want to know what all of the weak points are for this system. Spoofing it seems really easy if they generate it normally once then spoof it every time after.