mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-14 03:15:16 +03:00
27c6414ca5
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
2.7 KiB
2.7 KiB
API Reference: Email Header Analysis Tools
Python email Module
Parsing EML Files
import email
from email import policy
with open("phishing.eml", "r") as f:
msg = email.message_from_file(f, policy=policy.default)
msg["From"] # From header
msg["To"] # To header
msg["Subject"] # Subject line
msg["Message-ID"] # Unique message identifier
msg["Reply-To"] # Reply-To address
msg["Return-Path"] # Envelope sender
msg.get_all("Received") # All Received headers (list)
msg.get_all("Authentication-Results") # Auth results
Body and Attachment Extraction
body = msg.get_body(preferencelist=("html", "plain"))
content = body.get_content()
for part in msg.walk():
if part.get_content_disposition() == "attachment":
filename = part.get_filename()
data = part.get_payload(decode=True)
dig - DNS Record Lookup
SPF Record
dig TXT example.com +short
# Output: "v=spf1 include:_spf.google.com ~all"
DKIM Record
dig TXT selector1._domainkey.example.com +short
DMARC Record
dig TXT _dmarc.example.com +short
# Output: "v=DMARC1; p=reject; rua=mailto:dmarc@example.com"
pyspf - SPF Validation (Python)
Syntax
import spf
result, explanation = spf.check2(
i="203.0.113.45", # Sending IP
s="sender@example.com", # Envelope sender
h="mail.example.com" # HELO hostname
)
# Results: pass, fail, softfail, neutral, none, temperror, permerror
dkimpy - DKIM Verification (Python)
Syntax
import dkim
with open("email.eml", "rb") as f:
message = f.read()
result = dkim.verify(message)
# Returns True/False
AbuseIPDB - IP Reputation
API Endpoint
curl -G "https://api.abuseipdb.com/api/v2/check" \
-H "Key: YOUR_API_KEY" \
-H "Accept: application/json" \
-d "ipAddress=203.0.113.45" -d "maxAgeInDays=90"
Response Fields
| Field | Description |
|---|---|
abuseConfidenceScore |
0-100 confidence of abuse |
totalReports |
Number of abuse reports |
countryCode |
Source country |
isp |
Internet service provider |
VirusTotal - Domain/URL Reputation
Domain Lookup
curl -H "x-apikey: YOUR_KEY" \
"https://www.virustotal.com/api/v3/domains/suspicious.com"
URL Scan
curl -X POST "https://www.virustotal.com/api/v3/urls" \
-H "x-apikey: YOUR_KEY" \
-d "url=http://suspicious-url.com/login"
whois - Domain Registration
Syntax
whois suspicious-domain.com
Key Fields
Registrar- Domain registrarCreation Date- When domain was registeredRegistrant- Domain owner infoName Server- Authoritative DNS servers