IT-Connect » Courses - How-to » Cybersecurity » CyberChef: a web application for decrypting, decoding and transforming data

CyberChef - Decode, Decrypt, Transform Data Easily
Cybersecurity

CyberChef: a web application for decrypting, decoding and transforming data

Mickaël Dorigny 0 Comments

I. Introduction

Today I'd like to introduce you to the CyberChef tool, and it's a safe bet that after reading this article, it will be part of your daily toolbox!

CyberChef is a web application designed and made available by GCQH (British intelligence, no less!). It makes it very easy to apply encoding, decoding, compression, decompression, encryption and decryption functions to data. Take a look :

Practical, isn't it? No longer will you have to remember the name of the command and options to decompress a ".gzip", generate a "bcrypt" hash or encrypt a character string in AES, all of which can be done in CyberChef. Let's take a look at how to access and use it.

II. Installation and access to CyberChef

CyberChef is primarily a web application, with an online version hosted on GCQH's Github.io instance:

According to its designer's warnings, and I've checked: no data is transmitted to any third-party server when using the online version of CyberChef. Everything happens on the client side, in JavaScript.

However, if you want to handle business data or data that may contain secret or sensitive information (passwords, user names or internal servers), it's always preferable to have your own local instance. The easiest way to do this is to use containerization via Docker : 

# Downloading the CyberChef image and starting a container
docker run -it -p 8080:80 ghcr.io/gchq/cyberchef:latest

After executing this command, a local CyberChef instance will be available and accessible on port 8080 of your host: http: //localhost:8080/

III. Using CyberChef

We'll now take a look at the main areas of the CyberChef interface:

Overview of the different sections of the CyberChef interface.
Overview of the different sections of the CyberChef interface.

Space 1, called"Input", is where you will insert the data to be encrypted/decrypted, encoded/decoded, etc. This can be text, or an entire file. This can be text, or an entire file. Space 2 ("Output") will be the result of processing this data according to what you ask CyberChef to do. Here, too, you can easily retrieve text or save the result in a file.

It's in area 4 ("Operation") that you'll need to select the various modifications you wish to apply to your character string, then simply drag and drop them into area 3 (named"Recipe"). In the CyberChef environment, the recipe is simply the sequence of operations (algorithms, transformations, functions) that you will apply to your input string.

For example, the following recipe will apply base64 encoding to my string, then take the contents and convert it to hexadecimal:

Example of a simple CyberChef "Recipe".
Example of a simple CyberChef "Recipe".

Note the"To" in"To Base64" and"To Hex", it means"to". If, on the other hand, I want to decode my string, I should use"From Hex" then"From Base64", and in the right order!

Like a recipe, if you perform the operations in the right order, you'll get what you want:

Example of a simple decoding "Recipe" in CyberChef.
Example of a simple decoding "Recipe" in CyberChef.

In particular, you can swap the different operations in your recipe by dragging each one to the desired position.

The "recipes" you create can be saved for later use without having to manually rebuild the entire chain.

The two great strengths of cyberChef are its ease of use, as we've just seen, and the sheer number of algorithms, manipulations, transformations and hashing, encryption, encoding and compression functions it supports. To see this, just look at all the categories and possibilities in the"Operation" menu on the left:

  • Data format: converts data between different formats, such as JSON, XML, CSV, YAML, etc.
  • Encryption / Encoding: provides tools for encrypting and encoding data, including AES, DES, ROT13, Base64, URL encoding, etc.
  • Public Key: Contains operations related to public key cryptography, such as RSA, ECDSA, key generation, encryption and decryption.
  • Arithmetic / Logic: performs arithmetic and logic operations, such as addition, subtraction, bit-by-bit operations, CRC calculations, etc.
  • Network: provides tools for analyzing and manipulating network data, such as IP conversion, DNS queries, packet analysis, etc.
  • Language: includes text conversion operations between different formats (unicode, UTF-8, etc.).
  • Utilities: various utilities such as random number generation, text replacement operations, occurrence counting, base conversions, etc.
  • Date / Time: allows you to manipulate dates and times, including timestamp converters, calculation of differences between dates, etc.
  • Extractors: tools for extracting specific information from data, such as e-mail addresses, phone numbers, URLs, IPs, etc.
  • Compression: provides tools for compressing and decompressing data with algorithms such as gzip, zip, bzip2, etc.
  • Hashing: contains a large number of hashing algorithms for generating hashes from supplied strings (does not perform hash breaking). It also includes a function that analyzes hashes to determine their type.
  • Code tidy: cleans and formats code to make it more readable, including minify and beautify HTML, CSS, JavaScript, etc.
  • Forensics: tools for digital investigation, such as metadata extraction, file analysis, file format identification, etc.
  • Multimedia: contains tools for manipulating multimedia files, such as image conversion, metadata extraction from audio/video files, etc.
  • Other: contains tools that don't fit into the other categories, such as QR code generators, regex tests, etc.
  • Flow Control: allows you to create workflows with conditional operations, loops, and management of the execution of individual steps.

You can literally spend hours simply browsing, understanding and testing the different operations present in CyberChef, and there's something for every use and every profession: system administrator, pentester, forensic analyst, developer, etc. Roll your mouse over each operation for a brief description:

An info bubble is displayed for each operation in CyberChef.
An info bubble is displayed for each operation in CyberChef.

The advantage, of course, is that you can have everything in one place, without having to remember the options of a particular tool, the URL of the site that allows you to minimize HTML and JavaScript code, etc.

You can also access operations quickly and easily by using the "Favourites" section, where you simply drag and drop the operations you want to access quickly, or by using the search area:

Search areas and CyberChef favorites.
Search areas and CyberChef favorites.

The tool is also packed with features and customization possibilities (dark theme in particular). The important thing with this tool is to discover all its possibilities and then know that you can use it for your everyday needs.

IV. Example of super-useful functions

A. Reorganizing and improving code structure

It's not uncommon to come across poorly indented or even completely minified blocks of code. Debugging this type of code can be very complex, as it's difficult to isolate the interesting elements, the structure and order of instructions, etc., from the rest of the code.

Cyberchef offers various operations for reorganizing and indenting different programming languages or source code. Here's an example with a complex SQL query:

Reorganize a complex SQL query.

Here, I've provided Cyberchef with a complex SQL query written on a single line. By using the "CodyTidy > SQL Beautify" operation, I end up with a much more readable and debuggable query.

B. Extract IP addresses from text

CyberChef contains a number of regular expressions that make it easy to extract or isolate specific items in a block of text. The following example extracts all the IP addresses present in a text:

Extract IP addresses from text.

Here, I've used the "Extractors > Extract IP addresses" operation, note the options in this operation that allow you to sort them, remove localhost addresses, etc.

C. Analyze a certicate x.509

CyberChef can also be used to read and sort information on different types of certificate, key, etc. I use it in the following example to display the details of an x.509 certificate in a readable way. In particular, I've used the option to provide CyberChef with an input file rather than a block of text:

Analyze and display the contents of an x.509 certificate
Analyze and display the contents of an x.509 certificate

Thanks to the"Public Key > Parse X.509 certificate" operation, in this example, you no longer need to remember the "openssl" command options to perform this operation in a terminal.

V. Conclusion

CyberChef is a versatile and useful tool for cybersecurity pros, developers, forensic analysts, system administrators and more. Its intuitive interface and wide range of functions enable efficient processing of data, from encoding to encryption, format conversion to compression, hashing and more.

In my experience, it quickly becomes indispensable once you remember that the tool exists and that you need to use a web interface rather than the command line.

I encourage you to give this solution a try, and don't hesitate to give us your feedback in the comments or on our Discord!

author avatar
Mickaël Dorigny Co-founder
Co-founder of IT-Connect. Auditor/Pentester at Orange Cyberdéfense.
See Full Bio
social network icon social network icon
Share on X Share on Facebook Share on Linkedin Send by e-mail

You May Also Like

Send Windows logs to Graylog with NXLog

Send Windows logs to Graylog with NXLog

Florian Burnel 0
tutorial graylog installation on debian

Install Graylog on Debian to easily centralize and analyze your logs

Florian Burnel 0
Linux - How to Forward Logs to Graylog Using Rsyslog

Linux : send logs to Graylog with rsyslog

Florian Burnel 0

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.