Cooking with CyberChef

CyberChef is a quick and easy tool for playing with encodings, data and information. Using it regularly in presentations, trainings and examples I was recently asked for a super quick “HowTo”, so here it is.

About CyberChef

CyberChef or the “Cyber Swiss Army Knife” is a tool developed by GCHQ and posted on GitHub . It’s written in JS / Node.js and runs locally in your favourite browser. The easiest way of using it, is directly loading it from the offical GitHub page .

CyberChef

Cooking

CyberChef uses recipes, which can be seen in the recipe column on the page.

Base64

They’re simple written using drag and drop. Steps can be searched for using the textbox that contains to in the previous screenshot and base64 in the next.

Base64 Back

As recipes work, each step is processed after the other. The example shown here initially encodes the text into Base64 and then decodes it back.

Base64 Broken

Each step can be disabled using the little cancellation/deactivation symbol on the top right corner of the step. For our example here, we’re just trying to decode a plaintext string as Base64 and thus only see gibberish.

Lazy Cooking

As most kitchens have a microwave for cheating while cooking, CyberChef has the “Magic” function, which gives various recipes a try to guess how the input data might be encoded.

Base64, Decimal, Magic

In our example here the input data NzEgMTE3IDExNiAxMDEgMTEwIDMyIDc3IDExMSAxMTQgMTAzIDEwMSAxMTAgNDQgMzIgNzggMTA1IDk5IDExMSAxMDggMTAx is decoded into Guten Morgen, Nicole by using From_Base64, followed by From_Decimal. CyberChef says the output might be German, is valid UTF-8 and has a very low Entropy (thus doesn’t look like a random accident).

Decimal, Magic

Scrolling through the results one also finds a line identifying the input data as Base64 encoded numbers, which obviously also is correct. Due to having selected a Depth of 3, CyberChef continued with it’s analyzation and went deeper. Changing the Depth setting to 1 will remove the actual plaintext from the results.

Important Operations

When using CyberChef regularly most the operations will become important / useful at some point. Still, here’s a short overview of things you can do:

  • To Decimal: Converts plaintext into the applicable integers representing each character
  • From Hex: Converts hexadecimal numbers / characters back to text, well if it represents text ;-)
  • To Braille: Converts to Braille, the characters used by the blind
  • MD5, SHA: Calculates various hashes based on the input
    • Especially helpful if one isn’t sure what the input format for a hash was. Switching from binary, to Hex, to ASCII is quick and easy
  • Morse Code
  • ROT13, Vigenere: Encodings used in many HackIts and other challenges
  • AES, DES, 3-DES etc.: Basics encryption algorithms to play with

In addition CyberChef contains various Operations for working with files and images, basic network functionalities and code-tidy functions.

Using the Flow control operations, one can also build more complex recipes.

An Example

⠴⠴⠂⠂⠴⠂⠴⠴⠀⠴⠂⠂⠴⠴⠂⠴⠂⠀⠴⠴⠂⠴⠴⠴⠴⠴⠀⠴⠴⠂⠂⠴⠂⠂⠴⠀⠴⠴⠂⠂⠴⠴⠂⠂⠀⠴⠴⠂⠴⠴⠴⠴⠴⠀⠴⠴⠂⠂⠴⠂⠂⠴⠀⠴⠴⠂⠂⠴⠴⠴⠂⠀⠴⠴⠂⠴⠴⠴⠴⠴⠀⠴⠴⠂⠂⠴⠂⠂⠴⠀⠴⠂⠂⠴⠴⠂⠴⠴⠀⠴⠴⠂⠴⠴⠴⠴⠴⠀⠴⠴⠂⠂⠴⠂⠂⠂⠀⠴⠴⠂⠂⠴⠂⠴⠂⠀⠴⠴⠂⠴⠴⠴⠴⠴⠀⠴⠴⠂⠂⠴⠴⠂⠴⠀⠴⠴⠂⠂⠴⠴⠴⠴⠀⠴⠴⠂⠴⠴⠴⠴⠴⠀⠴⠴⠂⠂⠴⠂⠴⠂⠀⠴⠴⠂⠂⠴⠂⠴⠂⠀⠴⠴⠂⠴⠴⠴⠴⠴⠀⠴⠴⠂⠂⠴⠂⠂⠂⠀⠴⠴⠂⠂⠴⠂⠂⠴⠀⠴⠴⠂⠴⠴⠴⠴⠴⠀⠴⠴⠂⠂⠴⠂⠂⠂⠀⠴⠂⠂⠴⠴⠴⠴⠂⠀⠴⠴⠂⠴⠴⠴⠴⠴⠀⠴⠴⠂⠂⠴⠂⠂⠴⠀⠴⠂⠂⠴⠴⠂⠴⠂⠀⠴⠴⠂⠴⠴⠴⠴⠴⠀⠴⠴⠂⠂⠴⠂⠂⠴⠀⠴⠂⠂⠴⠴⠂⠴⠴⠀⠴⠴⠂⠴⠴⠴⠴⠴⠀⠴⠴⠂⠂⠴⠂⠂⠂⠀⠴⠴⠂⠂⠴⠂⠴⠂⠀⠴⠴⠂⠴⠴⠴⠴⠴⠀⠴⠴⠂⠂⠴⠴⠂⠴⠀⠴⠂⠂⠴⠴⠴⠂⠂⠀⠴⠴⠂⠴⠴⠴⠴⠴⠀⠴⠴⠂⠂⠴⠴⠂⠴⠀⠴⠴⠂⠂⠴⠴⠴⠴⠀⠴⠴⠂⠴⠴⠴⠴⠴⠀⠴⠴⠂⠂⠴⠂⠴⠂⠀⠴⠴⠂⠂⠴⠂⠂⠴⠀⠴⠴⠂⠴⠴⠴⠴⠴⠀⠴⠴⠂⠂⠴⠂⠂⠂⠀⠴⠴⠂⠂⠴⠴⠴⠴⠀⠴⠴⠂⠴⠴⠴⠴⠴⠀⠴⠴⠂⠂⠴⠂⠂⠴⠀⠴⠂⠂⠴⠴⠴⠂⠴⠀⠴⠴⠂⠴⠴⠴⠴⠴⠀⠴⠴⠂⠂⠴⠂⠂⠂⠀⠴⠴⠂⠂⠴⠂⠂⠴⠀⠴⠴⠂⠴⠴⠴⠴⠴⠀⠴⠴⠂⠂⠴⠂⠂⠂⠀⠴⠴⠂⠂⠴⠂⠴⠴⠀⠴⠴⠂⠴⠴⠴⠴⠴⠀⠴⠴⠂⠂⠴⠂⠂⠴⠀⠴⠂⠂⠴⠴⠴⠂⠂

What we see here is a dot pattern, which reassembles Braille, thus we start with a From Braille operation.

00110100 01100101 00100000 00110110 00110011 00100000 00110110 00110001 00100000 00110110 01100100 00100000 00110111 00110101 00100000 00110010 00110000 00100000 00110101 00110101 00100000 00110111 00110110 00100000 00110111 01100001 00100000 00110110 01100101 00100000 00110110 01100100 00100000 00110111 00110101 00100000 00110010 01100011 00100000 00110010 00110000 00100000 00110101 00110110 00100000 00110111 00110000 00100000 00110110 01100010 00100000 00110111 00110110 00100000 00110111 00110100 00100000 00110110 01100011

Which now looks like binary. So we use a From Binary operation.


4e 63 61 6d 75 20 55 76 7a 6e 6d 75 2c 20 56 70 6b 76 74 6c

Which gives us Hex, so we continue using a “From Hex` operation.

Ncamu Uvznmu, Vpkvtl

At this point we’re stuck, and a need little hint like Vigenere, Hi. So we add a Vigenere Decode operation and use Hi as the key.

Guten Morgen, Nicole

And we find the flag I’m currently sending out each morning.

It can be seen decoded with this link .

The cool aspect here, is that the actual input can also be passed to CyberChef using URL parameters :)

Why use CyberChef?

For me it’s quick, easy and simple. I used to use the iPython shell for quick things, but when teaching the necessity of installing a tool is never a good idea, as something will always go wrong. As such, running in a browser, CyberChef is a very nice solution. The same applies to stupid things whilst traveling. CyberChef easily runs from my phone’s browser so I can use it anytime.

It is important to note, that while CyberChef is a very powerful and easy tool, creating a functioning recipe can be a tough job and can involve a bunch of experience, knowledge or pure luck.