mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-14 19:55:16 +03:00
27c6414ca5
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
122 lines
2.7 KiB
Markdown
122 lines
2.7 KiB
Markdown
# API Reference: Email Header Analysis Tools
|
|
|
|
## Python email Module
|
|
|
|
### Parsing EML Files
|
|
```python
|
|
import email
|
|
from email import policy
|
|
|
|
with open("phishing.eml", "r") as f:
|
|
msg = email.message_from_file(f, policy=policy.default)
|
|
|
|
msg["From"] # From header
|
|
msg["To"] # To header
|
|
msg["Subject"] # Subject line
|
|
msg["Message-ID"] # Unique message identifier
|
|
msg["Reply-To"] # Reply-To address
|
|
msg["Return-Path"] # Envelope sender
|
|
msg.get_all("Received") # All Received headers (list)
|
|
msg.get_all("Authentication-Results") # Auth results
|
|
```
|
|
|
|
### Body and Attachment Extraction
|
|
```python
|
|
body = msg.get_body(preferencelist=("html", "plain"))
|
|
content = body.get_content()
|
|
|
|
for part in msg.walk():
|
|
if part.get_content_disposition() == "attachment":
|
|
filename = part.get_filename()
|
|
data = part.get_payload(decode=True)
|
|
```
|
|
|
|
## dig - DNS Record Lookup
|
|
|
|
### SPF Record
|
|
```bash
|
|
dig TXT example.com +short
|
|
# Output: "v=spf1 include:_spf.google.com ~all"
|
|
```
|
|
|
|
### DKIM Record
|
|
```bash
|
|
dig TXT selector1._domainkey.example.com +short
|
|
```
|
|
|
|
### DMARC Record
|
|
```bash
|
|
dig TXT _dmarc.example.com +short
|
|
# Output: "v=DMARC1; p=reject; rua=mailto:dmarc@example.com"
|
|
```
|
|
|
|
## pyspf - SPF Validation (Python)
|
|
|
|
### Syntax
|
|
```python
|
|
import spf
|
|
result, explanation = spf.check2(
|
|
i="203.0.113.45", # Sending IP
|
|
s="sender@example.com", # Envelope sender
|
|
h="mail.example.com" # HELO hostname
|
|
)
|
|
# Results: pass, fail, softfail, neutral, none, temperror, permerror
|
|
```
|
|
|
|
## dkimpy - DKIM Verification (Python)
|
|
|
|
### Syntax
|
|
```python
|
|
import dkim
|
|
with open("email.eml", "rb") as f:
|
|
message = f.read()
|
|
result = dkim.verify(message)
|
|
# Returns True/False
|
|
```
|
|
|
|
## AbuseIPDB - IP Reputation
|
|
|
|
### API Endpoint
|
|
```bash
|
|
curl -G "https://api.abuseipdb.com/api/v2/check" \
|
|
-H "Key: YOUR_API_KEY" \
|
|
-H "Accept: application/json" \
|
|
-d "ipAddress=203.0.113.45" -d "maxAgeInDays=90"
|
|
```
|
|
|
|
### Response Fields
|
|
| Field | Description |
|
|
|-------|-------------|
|
|
| `abuseConfidenceScore` | 0-100 confidence of abuse |
|
|
| `totalReports` | Number of abuse reports |
|
|
| `countryCode` | Source country |
|
|
| `isp` | Internet service provider |
|
|
|
|
## VirusTotal - Domain/URL Reputation
|
|
|
|
### Domain Lookup
|
|
```bash
|
|
curl -H "x-apikey: YOUR_KEY" \
|
|
"https://www.virustotal.com/api/v3/domains/suspicious.com"
|
|
```
|
|
|
|
### URL Scan
|
|
```bash
|
|
curl -X POST "https://www.virustotal.com/api/v3/urls" \
|
|
-H "x-apikey: YOUR_KEY" \
|
|
-d "url=http://suspicious-url.com/login"
|
|
```
|
|
|
|
## whois - Domain Registration
|
|
|
|
### Syntax
|
|
```bash
|
|
whois suspicious-domain.com
|
|
```
|
|
|
|
### Key Fields
|
|
- `Registrar` - Domain registrar
|
|
- `Creation Date` - When domain was registered
|
|
- `Registrant` - Domain owner info
|
|
- `Name Server` - Authoritative DNS servers
|