Cooking with CyberChef
CyberChef is a quick and easy tool for playing with encodings, data and information. Using it regularly in presentations, trainings and examples I was recently asked for a super quick “HowTo”, so here it is.
CyberChef or the “Cyber Swiss Army Knife” is a tool developed by GCHQ and posted on GitHub. It’s written in JS / Node.js and runs locally in your favourite browser. The easiest way of using it, is directly loading it from the offical GitHub page.
CyberChef uses recipes, which can be seen in the recipe column on the page.
They’re simple written using drag and drop. Steps can be searched for using the textbox that contains
to in the previous screenshot and
base64 in the next.
As recipes work, each step is processed after the other. The example shown here initially encodes the text into Base64 and then decodes it back.
Each step can be disabled using the little cancellation/deactivation symbol on the top right corner of the step. For our example here, we’re just trying to decode a plaintext string as Base64 and thus only see gibberish.
As most kitchens have a microwave for cheating while cooking, CyberChef has the “Magic” function, which gives various recipes a try to guess how the input data might be encoded.
In our example here the input data
NzEgMTE3IDExNiAxMDEgMTEwIDMyIDc3IDExMSAxMTQgMTAzIDEwMSAxMTAgNDQgMzIgNzggMTA1IDk5IDExMSAxMDggMTAx is decoded into
Guten Morgen, Nicole by using
From_Base64, followed by
From_Decimal. CyberChef says the output might be German, is valid UTF-8 and has a very low Entropy (thus doesn’t look like a random accident).
Scrolling through the results one also finds a line identifying the input data as Base64 encoded numbers, which obviously also is correct. Due to having selected a
Depth of 3, CyberChef continued with it’s analyzation and went deeper. Changing the
Depth setting to 1 will remove the actual plaintext from the results.
When using CyberChef regularly most the operations will become important / useful at some point. Still, here’s a short overview of things you can do:
- To Decimal: Converts plaintext into the applicable integers representing each character
- From Hex: Converts hexadecimal numbers / characters back to text, well if it represents text ;-)
- To Braille: Converts to Braille, the characters used by the blind
- MD5, SHA: Calculates various hashes based on the input
- Especially helpful if one isn’t sure what the input format for a hash was. Switching from binary, to Hex, to ASCII is quick and easy
- Morse Code
- ROT13, Vigenere: Encodings used in many HackIts and other challenges
- AES, DES, 3-DES etc.: Basics encryption algorithms to play with
In addition CyberChef contains various Operations for working with files and images, basic network functionalities and code-tidy functions.
Flow control operations, one can also build more complex recipes.
What we see here is a dot pattern, which reassembles Braille, thus we start with a
From Braille operation.
00110100 01100101 00100000 00110110 00110011 00100000 00110110 00110001 00100000 00110110 01100100 00100000 00110111 00110101 00100000 00110010 00110000 00100000 00110101 00110101 00100000 00110111 00110110 00100000 00110111 01100001 00100000 00110110 01100101 00100000 00110110 01100100 00100000 00110111 00110101 00100000 00110010 01100011 00100000 00110010 00110000 00100000 00110101 00110110 00100000 00110111 00110000 00100000 00110110 01100010 00100000 00110111 00110110 00100000 00110111 00110100 00100000 00110110 01100011
Which now looks like binary. So we use a
From Binary operation.
4e 63 61 6d 75 20 55 76 7a 6e 6d 75 2c 20 56 70 6b 76 74 6c
Which gives us Hex, so we continue using a “From Hex` operation.
Ncamu Uvznmu, Vpkvtl
At this point we’re stuck, and a need little hint like
Vigenere, Hi. So we add a Vigenere Decode operation and use
Hi as the key.
Guten Morgen, Nicole
And we find the flag I’m currently sending out each morning.
It can be seen decoded with this link.
The cool aspect here, is that the actual input can also be passed to CyberChef using URL parameters :)
Why use CyberChef?
For me it’s quick, easy and simple. I used to use the iPython shell for quick things, but when teaching the necessity of installing a tool is never a good idea, as something will always go wrong. As such, running in a browser, CyberChef is a very nice solution. The same applies to stupid things whilst traveling. CyberChef easily runs from my phone’s browser so I can use it anytime.
It is important to note, that while CyberChef is a very powerful and easy tool, creating a functioning recipe can be a tough job and can involve a bunch of experience, knowledge or pure luck.