web application – Watering hole Website NTLM Steal Attack

Im trying to recreate a Watering hole SMB theft attack
Where you send a victim a link to your website containing code like “file://ip/file.gif”
Causing Forced Authentication which passes the NTLM hash
I have the code which execute the process (check reference links)

But how can i retrieve/steal the NTLM hash back over the internet remotely without being on local network?

This process can be done locally very easily but im struggling with finding an NTLM listener to use over the internet remotely on a website


Newly Discovered Watering Hole Attack Targets Ukrainian, Canadian Organizations


dnd 5e – If I get access to a spell attack that’s NOT part of a spell, can I use it when I take the Attack action?

Some creatures have entries in their stat block that are classified as ‘melee spell attack’, or ‘ranged spell attack’, without actually being tied to the casting of a spell. Some PC subclasses also get some of those, notably the Way of the Sun Soul and the Circle of Stars, but they are framed in such a way that still leaves no doubt as to when you can use it (with the Attack action, for the Monk, and as a bonus action on your turn, for the Druid). So let’s say I get access to the former, monster-like spell attacks.

  1. Can I use it when I take the Attack action?
  2. If not, is the reason that they are listed as ‘Actions’ on the creature’s stat block? So just like I can only use the Circle of Stars Archer feature as a bonus action, this would leave me with an Action and not a general combat option. It’s probably this, but I still need clarification about point 3.
  3. The rules for the Attack action state: “With this action, you make one melee or ranged Attack”. Nowhere here it says ‘weapon attack’. So even if the only attack option for a PC still is given by holding a weapon or having the possibility to make an unarmed strike, would this allow me to make a spell attack as a part of it if such an option were available to me outside of explicitly permittive wordings (as I said, I understand that casting a spell is its own thing, using a feature like the Archer form is its own thing, etc.).

I hope I made my question clear.

disk encryption – Security against local attack for remote FDE decryption?

Is there any remote FDE decryption that is resistant to an attacker that has local physical access?

Tools like dracut-sshd need to store the private key used for the sshd server on the unencrypted boot partition, so a local attacker has the ability to become a MITM and sniff the decryption password.

Can using a TPM to protect the sshd key foil this attack?

Does clevis-tang have essentially the same problem? At the bottom of the tang README.md is this list of security considerations:

  1. Man-in-the-Middle
  2. Compromise the client to gain access to cJWK
  3. Compromise the server to gain access to sJWK's private key

Problem (1) is not a concern according to this document. I assume you avoid problem (3) by running the tang server on a FDE itself or storing the key on a HSM. Problem (2) sounds impossible to protect against if the attacker is local – is that correct?

The tang documentation stresses that the…

client protect cJWK from prying eyes. This may include device
permissions, filesystem permissions, security frameworks (such as
SELinux) or even the use of hardware encryption such as a TPM

Is the TPM option the only way to foil an attacker with physical access to the unencrypted boot partition?

Is there any work-around that allows remote unattended FDE decryption that a local attacker cannot compromise?

anydice – How can I calculate expected Stunt Points per attack when FIRST dropping a d6?

Here’s an example anydice function which calculates this kind of result:

function: stunt DICE:s STUNT:n DC:n {
  if 1@DICE + 2@DICE + STUNT < DC {
    result: 0
  loop X over {1..#DICE-1}{
    if (X@DICE = (X+1)@DICE | X@DICE = STUNT | (X+1)@DICE = STUNT) & X@DICE + (X+1)@DICE + STUNT >= DC { result: STUNT }
  result: 0

Let’s walk through it.

We invoke the function by calling (stunt Xd6 1d6 DC), where Xd6 is our dice pool, the other 1d6 is our stunt die, and DC is the target we need to roll on the dice. When the function runs, the rolled dice pool will be cast to a sequence, which anydice will helpfully automatically sort from highest to lowest.

The first if statement in the function checks to see whether the roll can possibly succeed – we take the two highest dice from the dice pool and the stunt die and see if they are less than the target number. If so, we immediately return 0 as it not possible to succeed on the roll.

Then we start iterating over the pool using a loop in order to check for any doubles, starting with the first two dice. If any two of the two dice under consideration and the stunt die are equal to each other, and the total of those two dice and the stunt die is enough to beat the target DC, the test has succeeded with stunt points – we return the value of the stunt die.

We know that any two dice in the sequence must be adjacent to each other in order to have a chance of being doubles, because the sequence has been sorted already, so don’t need to exhaustively check every possible combination from the sequence – stepping along it in adjacent pairs, using X@DICE and (X+1)@DICE, is good enough.

Otherwise, if we get all the way through the dice pool without finding any doubles that also beat the target DC, we return 0 to indicate the test has succeeded with no stunt points.

Here’s a screencap of some sample output from the function:

Tables of anydice output for pools from 2d6 to 5d6

Interesting modifications to make to the function might be to return -1 instead of 0 if the test fails, which will show you a distribution which indicates both the likelihood of a specific number of stunt points and the likelihood of passing at all (though it will skew the averages), or to return d{} (the “empty die”) to produce a distribution ignoring rolls that fail (i.e. how many stunt points are we likely to get if we succeed?).

Why can’t we perform a replay attack on wifi networks

I was wondering that when a hacker is trying to hack a wifi network he would try to capture a handshake and then try to decrypt it,whereas when you wanna login to your wifi you would type in your password and the password would be encrypted then sent to the router which would decrypt it using a key.
So why can’t we just resend the encrypted password(the handshake) to the router without having to decrypt it like a replay attack.

what is web server attack methodology?

My question is what exactly is Web server attack methodology?

Does it mean the steps of hacking a web server?

Does it mean all kinds of web server hacks?

What exactly is it?

A library required which generates dictionary attack passwords (for testing my theory)

I have calculated that 15 characters long password will take more than 8000 years to crack by the most powerful supercomputer available today.

My theory is that – Even if passwords are simple and easy to remember but if they are atleast 15 characters long, then these passwords are unbreakable.

So, according to me a simple but long password like – “iloveunitedstates” is an unbreakable password.

But someone pointed out that using dictionary attack, this password can be hacked easily.

But I am not convinced that this password can be broken.

So, I wanted to test it myself. So, is there a library or tool that generates dictionary attack passwords, so that I can use it to see if the password “iloveunitedstates” is crackable or not.

Please let me know if there is such a library or tool.

XSS attack being blocked by the browser

I’m trying to validate / test and XSS attack; however when I navigate to the page, the browser (tried on Chrome and Edge) tells me:

A parser-blocking, cross site (i.e. different eTLD+1) script,
is invoked via document.write. The network
request for this script MAY be blocked by the browser in this or a
future page load due to poor network connectivity. If blocked in this
page load, it will be confirmed in a subsequent console message. See
https://www.chromestatus.com/feature/5718547946799104 for more

I visited the reference page, but it’s not very clear on exactly what is happening. Is there a way to turn this off so that I can validate the XSS attack?