CyberChef: The Basics

There are different ways to access and run CyberChef. Let's check the two most convenient methods!

Online Access

All you need is a web browser and an internet connection. Then, you can click this link to open CyberChef directly within your web browser.

Offline or Local Copy

You can run this offline or locally on your machine by downloading the latest release file from this link. This will work on both Windows and Linux platforms. As best practice, you should download the most stable version.

CyberChef consists of four areas. Each consists of different components or features.

These are the following areas:

1. Operations
2. Recipe
3. Input
4. Output

Let's discuss each of these areas below.

The Operations Area

This is a practical and comprehensive repository of all the diverse operations that CyberChef is equipped to perform. These operations are meticulously categorized, offering users convenient access to various capabilities. Users can utilize the search feature to locate specific operations quickly, enhancing their efficiency and productivity.

Below are some operations you might use throughout your cyber security journey.

Alternatively, you can directly check how the operations work by hovering on the specific operation. This should give you a sample or a description and a link to Wikipedia.

The Recipe Area

This is considered as the heart of the tool. In this area, you can seamlessly select, arrange, and fine-tune operations to suit your needs. This is where you take control, defining each operation's arguments and options precisely and purposefully. The recipe area is a designated space to select and arrange specific operations and then define their respective arguments and options to customize their behaviour further. In the recipe area, you can drag the operations you want to use and specify arguments and options.

Features include the following:

These can be found in the highlighted icons below:

The bottom part of the image above is the BAKE! button. This processes the data with the given recipe.

Additionally, you can tick the Auto Bake checkbox. This feature allows users to automatically cook using the selected recipe without manually clicking BAKE! every time.

Input Area

The input area provides a user-friendly space where you can easily input text or files by pasting, typing, or dragging them to perform operations.

Additionally, it has the following features:

Add a new input tab: This is where an additional tab is created for the user to use different values from the previous tab.

Open folder as input: This feature allows users to upload a whole folder as input value.

Open file as input: This feature allows the user to upload a file as its input value.

Clear input and output: This feature allows the user to clear any input values inserted and the corresponding output value.

Reset pane layout: This feature brings the tool's interface to its default window sizes.

Output Area

The output area is a visual space that showcases the data processing results. It neatly presents the outcomes of any manipulations or transformations you have applied to the input data, allowing for a clear and intuitive display of the processed information.

Features include:

Save output to file: This feature allows the users to save the result into a .dat file.

Copy raw output to the clipboard: This feature allows users to copy raw output directly to their clipboard, allowing them to quickly copy the results for use in other applications or documents.

Replace input with output: This feature allows users to quickly overwrite the input data based on the operations' results.

Maximise output pane: This feature brings the tool's interface to its default window sizes.

Hold your horses!

Before even going to the actual thing, let's have a quick overview of the thought process when using CyberChef! This process consists of four different steps:

Let's discuss each step further.

Setting a clear objective is essential. This step involves defining specific and achievable goals. It helps answer the question, "What do I want to accomplish?". Objectives are vital in providing direction, purpose, and focus to your goals. One example would be, "During a security investigation, I found a gibberish string; I want to know what hidden message it contains if it has one."

Next, put your data into the input area. In this step, you use your data. This is where you paste or upload the gibberish string that you found.

The third step is to select the Operations you want to use. This can be tricky if you are not familiar yet with what you are dealing with. Following our example, we are still determining what to use to understand this gibberish string. During our research, we found relevant information that this gibberish string might be using anything related to encryption. Therefore, we decided to use any operations under the Encryption/Encoding category, including but not limited to ROT13, Base64, Base85, or ROT47. Note that we can use a lot of operations under this category. 

Lastly, check the output to see if it is the intended result. This begs the question, "Have we achieved our objective?". In our example, it would mean, were we able to decode the gibberish string we found? If yes, then that's it! If not, we may need to repeat the steps that we have taken.

To provide visual clarity to our example, see the figure below:

We want you to be as prepared as possible. Therefore, we will explore some of this task's most commonly used operation categories. Recognizing which category to utilize can enhance your ability to use the tool more efficiently and effectively.

Extractors

The specific operations mentioned in the table below fall under the Extractors category.

The Extract IP addresses will extract any valid IPv4/6 address from any given input. We recommend checking our existing room for a quick recap of networking: Networking Concepts

The Extract email addresses extracts any strings and characters with this format, anything@domain[.]com. Examples of domains include hotmail.com, google.com, tryhackme.com, and yahoo.com

Extract URLs extracts Uniform Resource Locator, commonly known as URL. , a URL is the address used to access resources on the internet. You can check the Web Applications Basics room if you would like to dig deeper into URLs and web applications.

Date and Time

The specific operations in the table below fall under the Date / Time category.

A UNIX timestamp is a 32-bit value representing the number of seconds since January 1, 1970 UTC (the UNIX epoch). To convert "Fri Sep 6 20:30:22 +04 2024" into a UNIX Timestamp, use the operations To UNIX Timestamp, where the result would be 1725654622. If you wish to convert it back to a more readable format, you can use From UNIX Timestamp.

Data Format

The specific operations in the table below fall under the Data format category.

Operations such as Base(64, 85, 58, 62) are known as base encodings. Base encoding takes binary data (strings of 0s and 1s) and transforms it into a text-based representation using a specific set of ASCII (American Standard Code for Information Interchange) characters.

Although we have a dedicated room for Hashing Basics, let's have a quick overview and discuss the most commonly used operation, Base64.

Our example would be to encode the letters "THM". We have a short ASCII Table here that we can use for reference. If you want to view the complete ASCII Table, please refer to this page here.

Step 1: Convert To Binary and Merge(Manually)

Based on our table above, T = 01010100, H=01001000, M = 01001101. Next, concatenate these binaries and make sure they have 24 characters. You should have 010101000100100001001101

Step 2: Divide and Convert to Decimal(Manually)

Separate 010101000100100001001101 into 6 characters each. You should have 010101 000100 100001 001101. These are 6-bit characters; we should have four instances of this now. We need to convert each instance to Decimal. Let's convert, then!

Step 3: Convert to Base64 (Manually)

Now that we have the Numbers from the previous step, which are 21, 4, 33, and 13, let's look for the equivalent characters from our table below. This table represents a base64 index table.

Upon checking from the table, we should have found its corresponding character by now. 

Combine these characters, and you should have the equivalent of "THM" in base64 format. The answer would be VEhN.

Woah! Isn't that amazing? You just converted a set of characters into base64 manually.

Now, let’s discuss the URL Decode. This works by converting the percent-encoded characters back to their raw values. For a reference of these values, you can check the page here. Note that the default character set in HTML5 is UTF-8. Check the table below for a quick overview of what we can typically see in a URL.

Practical Exercise

Click on the Download Task Files button at the top of this task to download the file that we will use to answer the questions below.

Once downloaded, you can open the file, copy and paste the content into the input field, or use the Open file as input feature to upload the file.

Note: Use the specific operations under the Extractors category for the first two questions. It's best to try to answer the questions first without using the hints.

This task allows us to apply what we've learned from the previous tasks. We'll utilize CyberChef's areas and its features to answer the questions being asked. 

Now, this is the time that you truly shine! You are going for your first cook ever!

Ready? Let's get our hands dirty, then!

Note: It's best to try to answer the questions first without using the hints.

In this room, we discussed how CyberChef is a powerful tool for handling various data transformations and decoding tasks. Whether you need to work with Base64, Binary, or URLs, this digital wizard's kitchen provides a visual interface that makes data manipulation intuitive and straightforward. With a diverse recipe library, you can confidently tackle tasks ranging from extracting email addresses, IP addresses, and domains. We were able to navigate its interface and have a high-level discussion of the different areas, features, and parameters. However, note that for particularly large-scale processing, it's vital to benefit from support from other tools.