creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-12 14:14:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/analyzing-certificate-transparency-for-phishing/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

2.8 KiB
Raw Blame History

API Reference: Certificate Transparency Phishing Detection

crt.sh API

Search Certificates

# JSON output
curl "https://crt.sh/?q=%.example.com&output=json"

# Exclude expired
curl "https://crt.sh/?q=%.example.com&output=json&exclude=expired"

# Exact match
curl "https://crt.sh/?q=example.com&output=json"

Response Fields

Field Description
id Certificate ID in crt.sh database
common_name Certificate CN
name_value All SANs (newline-separated)
issuer_name Certificate Authority
not_before Validity start
not_after Validity end
serial_number Certificate serial

Certstream - Real-time CT Monitoring

Python Client

import certstream

def callback(message, context):
    if message["message_type"] == "certificate_update":
        data = message["data"]
        domains = data["leaf_cert"]["all_domains"]
        for domain in domains:
            if "example" in domain:
                print(f"[ALERT] {domain}")

certstream.listen_for_events(callback, url="wss://certstream.calidog.io/")

Message Fields

Field Path
Domains data.leaf_cert.all_domains
Issuer data.leaf_cert.issuer.O
Subject data.leaf_cert.subject.CN
Fingerprint data.leaf_cert.fingerprint
Source data.source.name

CT Log Servers

Log Operator URL
Argon Google ct.googleapis.com/logs/argon2024
Xenon Google ct.googleapis.com/logs/xenon2024
Nimbus Cloudflare ct.cloudflare.com/logs/nimbus2024
Oak Let's Encrypt oak.ct.letsencrypt.org/2024h1
Yeti DigiCert yeti2024.ct.digicert.com/log

Phishing Detection Techniques

Homoglyph / IDN Attacks

Original Lookalike Technique
example.com examp1e.com Character substitution (l→1)
google.com gооgle.com Cyrillic о (U+043E)
paypal.com paypa1.com l→1 substitution
microsoft.com mіcrosoft.com Cyrillic і (U+0456)

dnstwist Integration

dnstwist -r -f json example.com   # Generate and resolve permutations
dnstwist -w wordlist.txt example.com  # Dictionary-based

Certificate Details Lookup

# Get full certificate from crt.sh
curl "https://crt.sh/?d=<cert_id>"

# OpenSSL inspection
openssl s_client -connect domain.com:443 -servername domain.com </dev/null 2>/dev/null | \
  openssl x509 -noout -text

Suspicious Indicators

Pattern Risk Level
Free CA + new domain + brand keyword HIGH
Wildcard cert on recently registered domain HIGH
Multiple certs for slight domain variants MEDIUM
IDN/punycode domain mimicking brand HIGH
Cert issued same day as domain registration MEDIUM
Reference in New Issue View Git Blame Copy Permalink