CyberChef – a web app for encryption, encoding, compression and data analysis

I've just noticed, I did't talk about tools which I use quite often, for several data conversion purposes.

CyberChef

https://github.com/gchq/CyberChef

The Cyber Swiss Army Knife
CyberChef is a simple, intuitive web app for carrying out all manner of cyber operations within a web browser. These operations include simple encoding like XOR or Base64, more complex encryption like AES, DES and Blowfish, creating binary and hexdumps, compression and decompression of data, calculating hashes and checksums, IPv6 and X.509 parsing, changing character encodings, and much more.

The tool is designed to enable both technical and non-technical analysts to manipulate data in complex ways without having to deal with complex tools or algorithms. It was conceived, designed, built and incrementally improved by an analyst in their 10% innovation time over several years.

Thats what they say, and thats what it is.


It was developed by gchq (https://www.gchq.gov.uk/), which is the british inteligence agency. They have a few interesting tools made available on their github (https://github.com/gchq)

Useful Operations

  • From/To Hex
  • From/To Base64
  • URL Encode/Decode
  • Regular Expression
  • XOR Brute Force
  • Decode Text
  • CSV to JSON
  • JSON to CSV
  • RC2, RC4, DES, Triple, DES, AES Encrypt/Decrypt
  • Bitwise operations
  • HTTP request
  • JPath Expression
  • Strings
  • Extract Filepaths
  • Extract EXIF
  • Zip/Unzip
  • Tar/Untar
  • All the Hashes
  • Syntax Highlighting
  • Script Beautify
  • Render Image
  • ...

Examples

Magic

The "Magic" feature:
It automatically tries different things and mostly time gets a result.

AES Decryption

Base64 decode

Regular Expressions

This is something I often use to extract text/data or to put the data into the right format. (" => ', "..", => {data: ".."} )

If it doesn't work, you still can go to https://regex101.com/ to figure out why your Expression is wrong

How to use it

Well.. I don't like giving information away or online, if I don't have to..

I actually downloaded it and use it offline. It works just fine, I didn't see any difference.

from local: file:///S:/Portable/CyberChef_v9.21.0/CyberChef_v9.21.0.html

For several operations you might want to turn Auto Bake off
it calculates automatically on any change you do, which can slow down your process sometimes.


Further Readings

Recipes and Links to resources

https://github.com/mattnotmax/cyberchef-recipes/edit/master/README.md

  • Recipe 1: Extract base64, raw inflate & beautify
  • Recipe 2: Invoke Obfuscation
  • Recipe 3: From CharCode
  • Recipe 4: Group Policy Preference Password Decryption
  • Recipe 5: Using Loops and Labels
  • Recipe 6: Google ei Timestamps
  • Recipe 7: Multi-stage COM scriptlet to x86 assembly
  • Recipe 8: Extract hexadecimal, convert to hexdump for embedded PE file
  • Recipe 9: Reverse strings, character substitution, from base64
  • Recipe 10: Extract object from Squid proxy cache
  • Recipe 11: Extract GPS Coordinates to Google Maps URLs
  • Recipe 12: Big Number Processing
  • Recipe 13: Parsing DNS PTR records with Registers
  • Recipe 14: Decoding POSHC2 executables
  • Recipe 15: Parsing $MFT $SI Timestamps
  • Recipe 16: Decoding PHP gzinflate and base64 webshells
  • Recipe 17: Extracting shellcode from a Powershell Meterpreter Reverse TCP Script
  • Recipe 18: Recycle Bin Parser with Subsections and Merges
  • Recipe 19: Identify Obfuscated Base64 with Regular Expression Highlighting
  • Recipe 20: Using Yara rules with deobfuscated malicious scripts
  • Recipe 21: Inline deobfuscation of hex encoded VBE script attached to a malicious LNK file
  • Recipe 22: JA3 API search with HTTP Request and Registers
  • Recipe 23: Defeating DOSfuscation embedded in a malicious DOC file with Regular Expression capture groups
  • Recipe 24: Picking a random letter from a six-byte string
  • Recipe 25: Creating a Wifi QR code
  • Recipe 26: Extracting and Decoding a Multistage PHP Webshell
  • Recipe 27: Decoding an Auto Visitor PHP script
  • Recipe 28: De-obfuscation of Cobalt Strike Beacon using Conditional Jumps to obtain shellcode
  • Recipe 29: Log File Timestamp Manipulation with Subsections and Registers
  • Recipe 30: CharCode obfuscated PowerShell Loader for a Cobalt Strike beacon

Here is an interesting Presentation from

Jonathan Glass: How CyberChef is used for CyberSecurity

https://www.osdfcon.org/presentations/2019/Jonathan-Glass_Cybersecurity-Zero-to-Hero-With-CyberChef.pdf

cloud encryption: cryptomator

Here is a great solution for anyone who wants to encrypt their data before putting it onto the cloud.

https://cryptomator.org/

It's an open-source encryption software for PC, MAC, Linux, Android, and iOS. So every common plattform is supported.

How is it encrypted?

In short:
You get a realtime de-/encrypted container.

the password: scrypt
the files: AES-GCM (256 Bit)
(the filenames are also encrypted beforehand)

See the full documentation on that here: https://docs.cryptomator.org/en/latest/security/architecture/

pc windows example

Note

There are multiple files generated. good for cloud sync.
The structure looks for similar to the files and folders created with ENC DataVault by ENC Security
You get a "light" Version (which enables AES 256 bit) of that software with buying a Sandisk Cruzer USB Stick. I've bought the pro version allowing multiple, military-grade AES 512 and also AES 1024 bit containers.
=> cryptomator has a better usability

Use cases

In my case, I use it to safely share and access data between my windows pc, linux (ubuntu) and android smartphone.

On mobile, you get the option to sync your taken pictures encrypted into one container. for convenience, there is the option of entering your credentials to encrypted containers via fingerprint.

It would be possible to share cloud storage with other family members and keep private data protected.

You could also just encrypt your files locally on an external disk.

About the company: Skymatic GmbH

It's born as a german startup with the idea: there are a few cloud encryption tools available... but no one has made their code open source to be transparent and also more secure.

They also provide company licenses for implementing their technology into your own software or you can get an enterprise solution for encrypted file storing and sharing: cryptomator server https://server.cryptomator.org/

Pricing

Nov 2019:
PC / Linux / Mac: Pay what you want

0 EUR, 9 EUR, 15 EUR, 25 EUR or what you want

Android and iOS:

iOS 5,99 EUR - 4,99 USD
Android 9,99 EUR
right now there is a discount for 5,99 EUR

Secure E-Mail with Gpg4win

On the 07.05.2019 the BSI (Federal Office for Information Security) has released a press article that federal institutions may use Gpg4win ( https://www.gpg4win.de/ ) to send VS-NfD / restricted data via mail.
which means for us..
-> if it's safe for restricted federal data...
-> it's safe to use for everyone's emails as well 🙂

https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2019/Gpg4win-mit-VS-NfD-070519.html

A note on why you should encrypt and what the software does, can be found here

https://www.bsi.bund.de/DE/Themen/Kryptografie_Kryptotechnologie/Kryptotechnologie/Gpg4win/gpg4win_node.html

Basically.. if you send private messages... in the realworld, you wouldn't want to send several things readable to everyone on the way either, like on a postcard.

=> On the web.. sending emails is like sending postcards...

Of course, TLS/SSL helps that the way your message is transferred safely.. but on the servers, your emails are still readable in clear text.
Oh.. wait.. there is the patriot act, which allows national agencies to access to those on demand. but not only the USA has such laws..

The thing is, that federal security agencies like the NSA might copy your emails and make profiles from it.
Even your metadata 😉 speaks a lot about you
who you are friend with.. what topics you talk to them.. when you are awake, if you are in vacations, from which location/computer you send your email from... and many more

The goal here is: END to END
private/public key encryption (RSA)

How does RSA work?

You can encrypt with a public key but only decrypt with a private key.
https://www.tutorialspoint.com/cryptography/public_key_encryption.htm

You generate a password-protected private key, which you don't share.
With this one, you generate a public key.

Now you send your public key to the other person.
The other person encrypts the message with your public key and sends it to you.
You can decrypt the message with your private key.

I'll make a tutorial on how actually to use Gpg4win