Cyber security

CyberChef: Your Ultimate Data Transformation and Manipulation Swiss-Army Knife

CyberChef is the best tool for changing and manipulating data. This browser-based “Swiss-Army Knife” was made by GCHQ to make difficult data jobs easier. This piece talks about its features and benefits, whether you work in cybersecurity, digital forensics, or just with data every day.

CyberChef is the self-purported ‘Cyber Swiss-Army Knife’ created by GCHQ. It’s a fantastic tool for data transformation, extraction & manipulation in your web-browser.

Full credit to @GCHQ for producing the tool. See

General Tips

  • Download CyberChef and run it entirely client-side. It doesn’t need an internet connection except for certain operations. That way all your data is safe.
  • Don’t try and shoe-horn CyberChef into something that it can’t do. It can do a lot but it’s not a fully fledged programming language!

Useful Regular Expressions

Mastering regular expressions are key to making the most of data manipulation in CyberChef (or any DFIR work). Below are some regexs that I keep coming back to.

Extracting Encoded Data

  • Extract Base64: [a-zA-Z0-9+/=]{30,}
    • Here ’30’ is an arbitrary number that can be adjusted according to the script.

Extract Hexadecimal: [a-fA-F0-9]{10,}

  • This could also be adjusted to {32} (MD5), {40} (SHA1), {64}, SHA256 to extract various hashes

Extract Character Codes: [\d]{2,3}(,|’)

  • In this example it would extract character codes in the format (’30, 40, 50, 60′)

Lookaheads & Lookbehinds

  • Positive Lookbehind: (?<=foo)(.*)
    • Extract everything after ‘foo’ without including ‘foo’
  • Positive Lookahead: ^.*(?=bar)
    • Extract everything before ‘bar’ without including ‘bar’
  • Lookahead/behind Combo: (?<=')(.*?)(?=')
    • Extract everything between ‘ and ‘

Working with APIs and CyberChef

CyberChef provides an operation HTTP Request (see Recipe 22) which allows HTTP requests to external resources. Due to Same Origin Policy (SOP) or lack of Cross-Origin Resource Sharing configuration many do not work. SOP is a security measure in modern browsers which prevents you from reading cross-site responses from servers which don’t explicitly allow it via CORS. Check out @GlassSec’s talk on CyberChef which includes tips to boot Chrome without web-security to enable HTTP requests to otherwise restricted APIs (like Virus Total)

For more Click Here

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

Install TensorFlow on Ubuntu 18.04: Python venv Setup and Usage

TensorFlow is a free, open-source machine learning platform developed by Google. It is used by major…

16 hours ago

Install Minecraft Server on Ubuntu 18.04: Systemd Setup Guide

Minecraft is one of the most popular games ever made — a sandbox game where players…

18 hours ago

Install CouchDB on Ubuntu 18.04: Setup and Configuration Guide

CouchDB is a free, open-source NoSQL database maintained by the Apache Software Foundation. Unlike traditional relational…

19 hours ago

Install Docker Compose on Ubuntu 18.04: Setup and Usage Guide

Docker Compose is a tool that lets you define and run multi-container Docker applications using a…

20 hours ago

Install PHP Composer on Ubuntu 18.04: Setup and Getting Started

Composer is a dependency manager for PHP. It works similarly to npm for Node.js or pip…

20 hours ago

Install and Configure Squid Proxy on Ubuntu 18.04: Setup Guide

Squid is a full-featured caching proxy server that supports HTTP, HTTPS, and FTP. It is most…

2 days ago