Cyber security

CyberChef: Your Ultimate Data Transformation and Manipulation Swiss-Army Knife

CyberChef is the best tool for changing and manipulating data. This browser-based “Swiss-Army Knife” was made by GCHQ to make difficult data jobs easier. This piece talks about its features and benefits, whether you work in cybersecurity, digital forensics, or just with data every day.

CyberChef is the self-purported ‘Cyber Swiss-Army Knife’ created by GCHQ. It’s a fantastic tool for data transformation, extraction & manipulation in your web-browser.

Full credit to @GCHQ for producing the tool. See

General Tips

  • Download CyberChef and run it entirely client-side. It doesn’t need an internet connection except for certain operations. That way all your data is safe.
  • Don’t try and shoe-horn CyberChef into something that it can’t do. It can do a lot but it’s not a fully fledged programming language!

Useful Regular Expressions

Mastering regular expressions are key to making the most of data manipulation in CyberChef (or any DFIR work). Below are some regexs that I keep coming back to.

Extracting Encoded Data

  • Extract Base64: [a-zA-Z0-9+/=]{30,}
    • Here ’30’ is an arbitrary number that can be adjusted according to the script.

Extract Hexadecimal: [a-fA-F0-9]{10,}

  • This could also be adjusted to {32} (MD5), {40} (SHA1), {64}, SHA256 to extract various hashes

Extract Character Codes: [\d]{2,3}(,|’)

  • In this example it would extract character codes in the format (’30, 40, 50, 60′)

Lookaheads & Lookbehinds

  • Positive Lookbehind: (?<=foo)(.*)
    • Extract everything after ‘foo’ without including ‘foo’
  • Positive Lookahead: ^.*(?=bar)
    • Extract everything before ‘bar’ without including ‘bar’
  • Lookahead/behind Combo: (?<=')(.*?)(?=')
    • Extract everything between ‘ and ‘

Working with APIs and CyberChef

CyberChef provides an operation HTTP Request (see Recipe 22) which allows HTTP requests to external resources. Due to Same Origin Policy (SOP) or lack of Cross-Origin Resource Sharing configuration many do not work. SOP is a security measure in modern browsers which prevents you from reading cross-site responses from servers which don’t explicitly allow it via CORS. Check out @GlassSec’s talk on CyberChef which includes tips to boot Chrome without web-security to enable HTTP requests to otherwise restricted APIs (like Virus Total)

For more Click Here

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

How to Install Docker on Ubuntu (Step-by-Step Guide)

Docker is a powerful open-source containerization platform that allows developers to build, test, and deploy…

2 hours ago

Uninstall Docker on Ubuntu

Docker is one of the most widely used containerization platforms. But there may come a…

2 hours ago

Admin Panel Dorks : A Complete List of Google Dorks

Introduction Google Dorking is a technique where advanced search operators are used to uncover information…

1 day ago

Log Analysis Fundamentals

Introduction In cybersecurity and IT operations, logging fundamentals form the backbone of monitoring, forensics, and…

2 days ago

Networking Devices 101: Understanding Routers, Switches, Hubs, and More

What is Networking? Networking brings together devices like computers, servers, routers, and switches so they…

3 days ago

Sock Puppets in OSINT: How to Build and Use Research Accounts

Introduction In the world of Open Source Intelligence (OSINT), anonymity and operational security (OPSEC) are…

3 days ago