CyberChef – a web app for encryption, encoding, compression and data analysis

I've just noticed, I did't talk about tools which I use quite often, for several data conversion purposes.

CyberChef

https://github.com/gchq/CyberChef

The Cyber Swiss Army Knife
CyberChef is a simple, intuitive web app for carrying out all manner of cyber operations within a web browser. These operations include simple encoding like XOR or Base64, more complex encryption like AES, DES and Blowfish, creating binary and hexdumps, compression and decompression of data, calculating hashes and checksums, IPv6 and X.509 parsing, changing character encodings, and much more.

The tool is designed to enable both technical and non-technical analysts to manipulate data in complex ways without having to deal with complex tools or algorithms. It was conceived, designed, built and incrementally improved by an analyst in their 10% innovation time over several years.

Thats what they say, and thats what it is.


It was developed by gchq (https://www.gchq.gov.uk/), which is the british inteligence agency. They have a few interesting tools made available on their github (https://github.com/gchq)

Useful Operations

  • From/To Hex
  • From/To Base64
  • URL Encode/Decode
  • Regular Expression
  • XOR Brute Force
  • Decode Text
  • CSV to JSON
  • JSON to CSV
  • RC2, RC4, DES, Triple, DES, AES Encrypt/Decrypt
  • Bitwise operations
  • HTTP request
  • JPath Expression
  • Strings
  • Extract Filepaths
  • Extract EXIF
  • Zip/Unzip
  • Tar/Untar
  • All the Hashes
  • Syntax Highlighting
  • Script Beautify
  • Render Image
  • ...

Examples

Magic

The "Magic" feature:
It automatically tries different things and mostly time gets a result.

AES Decryption

Base64 decode

Regular Expressions

This is something I often use to extract text/data or to put the data into the right format. (" => ', "..", => {data: ".."} )

If it doesn't work, you still can go to https://regex101.com/ to figure out why your Expression is wrong

How to use it

Well.. I don't like giving information away or online, if I don't have to..

I actually downloaded it and use it offline. It works just fine, I didn't see any difference.

from local: file:///S:/Portable/CyberChef_v9.21.0/CyberChef_v9.21.0.html

For several operations you might want to turn Auto Bake off
it calculates automatically on any change you do, which can slow down your process sometimes.


Further Readings

Recipes and Links to resources

https://github.com/mattnotmax/cyberchef-recipes/edit/master/README.md

  • Recipe 1: Extract base64, raw inflate & beautify
  • Recipe 2: Invoke Obfuscation
  • Recipe 3: From CharCode
  • Recipe 4: Group Policy Preference Password Decryption
  • Recipe 5: Using Loops and Labels
  • Recipe 6: Google ei Timestamps
  • Recipe 7: Multi-stage COM scriptlet to x86 assembly
  • Recipe 8: Extract hexadecimal, convert to hexdump for embedded PE file
  • Recipe 9: Reverse strings, character substitution, from base64
  • Recipe 10: Extract object from Squid proxy cache
  • Recipe 11: Extract GPS Coordinates to Google Maps URLs
  • Recipe 12: Big Number Processing
  • Recipe 13: Parsing DNS PTR records with Registers
  • Recipe 14: Decoding POSHC2 executables
  • Recipe 15: Parsing $MFT $SI Timestamps
  • Recipe 16: Decoding PHP gzinflate and base64 webshells
  • Recipe 17: Extracting shellcode from a Powershell Meterpreter Reverse TCP Script
  • Recipe 18: Recycle Bin Parser with Subsections and Merges
  • Recipe 19: Identify Obfuscated Base64 with Regular Expression Highlighting
  • Recipe 20: Using Yara rules with deobfuscated malicious scripts
  • Recipe 21: Inline deobfuscation of hex encoded VBE script attached to a malicious LNK file
  • Recipe 22: JA3 API search with HTTP Request and Registers
  • Recipe 23: Defeating DOSfuscation embedded in a malicious DOC file with Regular Expression capture groups
  • Recipe 24: Picking a random letter from a six-byte string
  • Recipe 25: Creating a Wifi QR code
  • Recipe 26: Extracting and Decoding a Multistage PHP Webshell
  • Recipe 27: Decoding an Auto Visitor PHP script
  • Recipe 28: De-obfuscation of Cobalt Strike Beacon using Conditional Jumps to obtain shellcode
  • Recipe 29: Log File Timestamp Manipulation with Subsections and Registers
  • Recipe 30: CharCode obfuscated PowerShell Loader for a Cobalt Strike beacon

Here is an interesting Presentation from

Jonathan Glass: How CyberChef is used for CyberSecurity

https://www.osdfcon.org/presentations/2019/Jonathan-Glass_Cybersecurity-Zero-to-Hero-With-CyberChef.pdf