mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-11 13:44:56 +03:00
mukul975
27c6414ca5
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
214 lines
7.6 KiB
Python
214 lines
7.6 KiB
Python
#!/usr/bin/env python3
|
|
"""
|
|
Deception Technology Deployment Agent
|
|
Deploys and manages honeypots, honeytokens, and canary files to detect
|
|
lateral movement and credential abuse with near-zero false positive alerts.
|
|
"""
|
|
|
|
import hashlib
|
|
import json
|
|
import os
|
|
import secrets
|
|
import socket
|
|
import sys
|
|
import threading
|
|
from datetime import datetime, timezone
|
|
from http.server import HTTPServer, BaseHTTPRequestHandler
|
|
|
|
|
|
def generate_honeytoken_credentials(count: int = 5) -> list[dict]:
|
|
"""Generate fake credential honeytokens for deployment in AD and databases."""
|
|
honeytokens = []
|
|
templates = [
|
|
("svc_backup_admin", "Service account - backup system"),
|
|
("admin_legacy", "Legacy admin account"),
|
|
("db_migration_user", "Database migration service account"),
|
|
("api_service_prod", "Production API service account"),
|
|
("deploy_automation", "CI/CD deployment service account"),
|
|
]
|
|
|
|
for i in range(min(count, len(templates))):
|
|
username, description = templates[i]
|
|
token_id = secrets.token_hex(4)
|
|
honeytokens.append({
|
|
"token_id": f"HT-{token_id}",
|
|
"type": "credential",
|
|
"username": f"{username}_{token_id[:4]}",
|
|
"password": secrets.token_urlsafe(24),
|
|
"description": description,
|
|
"deployment_location": "Active Directory / LSASS memory",
|
|
"alert_on": "Any authentication attempt",
|
|
"created": datetime.now(timezone.utc).isoformat(),
|
|
})
|
|
|
|
return honeytokens
|
|
|
|
|
|
def generate_canary_files(output_dir: str, count: int = 5) -> list[dict]:
|
|
"""Generate canary files that trigger alerts when accessed."""
|
|
canary_templates = [
|
|
("passwords.xlsx", "Fake password spreadsheet"),
|
|
("salary_data_2024.csv", "Fake salary data"),
|
|
("aws_credentials.txt", "Fake AWS access keys"),
|
|
("vpn_config_backup.ovpn", "Fake VPN configuration"),
|
|
("database_backup_prod.sql", "Fake database backup"),
|
|
]
|
|
|
|
canary_files = []
|
|
os.makedirs(output_dir, exist_ok=True)
|
|
|
|
for i in range(min(count, len(canary_templates))):
|
|
filename, description = canary_templates[i]
|
|
filepath = os.path.join(output_dir, filename)
|
|
token_id = secrets.token_hex(4)
|
|
|
|
content = f"# CANARY FILE - Token: {token_id}\n"
|
|
content += f"# This file is a decoy. Any access triggers a security alert.\n"
|
|
content += f"# Description: {description}\n"
|
|
content += f"# Generated: {datetime.now(timezone.utc).isoformat()}\n\n"
|
|
|
|
if "credentials" in filename or "password" in filename:
|
|
content += "admin:P@ssw0rd_fake_canary_2024\n"
|
|
content += "root:SuperSecret_fake_canary!\n"
|
|
elif "aws" in filename:
|
|
content += f"[default]\naws_access_key_id = AKIA{secrets.token_hex(8).upper()}\n"
|
|
content += f"aws_secret_access_key = {secrets.token_hex(20)}\n"
|
|
|
|
with open(filepath, "w") as f:
|
|
f.write(content)
|
|
|
|
canary_files.append({
|
|
"token_id": f"CF-{token_id}",
|
|
"type": "canary_file",
|
|
"filename": filename,
|
|
"filepath": filepath,
|
|
"description": description,
|
|
"sha256": hashlib.sha256(content.encode()).hexdigest(),
|
|
"alert_on": "File open / read access",
|
|
"created": datetime.now(timezone.utc).isoformat(),
|
|
})
|
|
|
|
return canary_files
|
|
|
|
|
|
def generate_dns_canary_tokens(domain: str, count: int = 3) -> list[dict]:
|
|
"""Generate DNS canary tokens that alert on resolution."""
|
|
tokens = []
|
|
for i in range(count):
|
|
token_id = secrets.token_hex(8)
|
|
hostname = f"{token_id}.{domain}"
|
|
tokens.append({
|
|
"token_id": f"DNS-{token_id[:8]}",
|
|
"type": "dns_canary",
|
|
"hostname": hostname,
|
|
"usage": f"Embed in config files, documents, or network shares",
|
|
"alert_on": "DNS resolution of hostname",
|
|
"created": datetime.now(timezone.utc).isoformat(),
|
|
})
|
|
|
|
return tokens
|
|
|
|
|
|
class HoneypotHTTPHandler(BaseHTTPRequestHandler):
|
|
"""Simple HTTP honeypot handler that logs all requests."""
|
|
|
|
alerts = []
|
|
|
|
def do_GET(self):
|
|
alert = {
|
|
"timestamp": datetime.now(timezone.utc).isoformat(),
|
|
"source_ip": self.client_address[0],
|
|
"source_port": self.client_address[1],
|
|
"method": "GET",
|
|
"path": self.path,
|
|
"headers": dict(self.headers),
|
|
"severity": "HIGH",
|
|
}
|
|
HoneypotHTTPHandler.alerts.append(alert)
|
|
print(f"[ALERT] Honeypot hit: {alert['source_ip']} -> GET {self.path}")
|
|
self.send_response(401)
|
|
self.send_header("WWW-Authenticate", 'Basic realm="Restricted Area"')
|
|
self.end_headers()
|
|
self.wfile.write(b"Authentication Required")
|
|
|
|
def do_POST(self):
|
|
content_length = int(self.headers.get("Content-Length", 0))
|
|
body = self.rfile.read(content_length).decode("utf-8", errors="ignore")
|
|
|
|
alert = {
|
|
"timestamp": datetime.now(timezone.utc).isoformat(),
|
|
"source_ip": self.client_address[0],
|
|
"method": "POST",
|
|
"path": self.path,
|
|
"body_preview": body[:200],
|
|
"severity": "CRITICAL",
|
|
}
|
|
HoneypotHTTPHandler.alerts.append(alert)
|
|
print(f"[ALERT] Honeypot credential capture: {alert['source_ip']}")
|
|
self.send_response(403)
|
|
self.end_headers()
|
|
self.wfile.write(b"Access Denied")
|
|
|
|
def log_message(self, format, *args):
|
|
pass
|
|
|
|
|
|
def start_http_honeypot(host: str = "0.0.0.0", port: int = 8888) -> HTTPServer:
|
|
"""Start an HTTP honeypot server in a background thread."""
|
|
server = HTTPServer((host, port), HoneypotHTTPHandler)
|
|
thread = threading.Thread(target=server.serve_forever, daemon=True)
|
|
thread.start()
|
|
print(f"[*] HTTP honeypot listening on {host}:{port}")
|
|
return server
|
|
|
|
|
|
def generate_deployment_report(
|
|
credentials: list, canary_files: list, dns_tokens: list
|
|
) -> str:
|
|
"""Generate deception technology deployment report."""
|
|
total = len(credentials) + len(canary_files) + len(dns_tokens)
|
|
lines = [
|
|
"DECEPTION TECHNOLOGY DEPLOYMENT REPORT",
|
|
"=" * 50,
|
|
f"Date: {datetime.now(timezone.utc).strftime('%Y-%m-%d %H:%M UTC')}",
|
|
f"Total Decoys Deployed: {total}",
|
|
"",
|
|
f"HONEYTOKEN CREDENTIALS ({len(credentials)}):",
|
|
]
|
|
for cred in credentials:
|
|
lines.append(f" [{cred['token_id']}] {cred['username']} - {cred['description']}")
|
|
|
|
lines.append(f"\nCANARY FILES ({len(canary_files)}):")
|
|
for cf in canary_files:
|
|
lines.append(f" [{cf['token_id']}] {cf['filename']} - {cf['description']}")
|
|
|
|
lines.append(f"\nDNS CANARY TOKENS ({len(dns_tokens)}):")
|
|
for dns in dns_tokens:
|
|
lines.append(f" [{dns['token_id']}] {dns['hostname']}")
|
|
|
|
return "\n".join(lines)
|
|
|
|
|
|
if __name__ == "__main__":
|
|
output_dir = sys.argv[1] if len(sys.argv) > 1 else "canary_files"
|
|
dns_domain = sys.argv[2] if len(sys.argv) > 2 else "canary.example.com"
|
|
|
|
print("[*] Deploying deception technology...")
|
|
|
|
credentials = generate_honeytoken_credentials(5)
|
|
canary_files = generate_canary_files(output_dir, 5)
|
|
dns_tokens = generate_dns_canary_tokens(dns_domain, 3)
|
|
|
|
report = generate_deployment_report(credentials, canary_files, dns_tokens)
|
|
print(report)
|
|
|
|
inventory = {
|
|
"credentials": credentials,
|
|
"canary_files": canary_files,
|
|
"dns_tokens": dns_tokens,
|
|
}
|
|
output = f"deception_inventory_{datetime.now(timezone.utc).strftime('%Y%m%d')}.json"
|
|
with open(output, "w") as f:
|
|
json.dump(inventory, f, indent=2)
|
|
print(f"\n[*] Inventory saved to {output}")
|