By Anna Hammond
July 13, 2021
As a bug bounty hunter, your laptop is your kitchen, your tools are your utensils and you are the chef cooking up some beautiful bugs, but every great cook needs a sous-chef and CyberChef was made to do just that.
This week we will be taking a deep dive into CyberChef and everything it has to offer. Get your chef’s hat on and let’s get going!
It’s a suite of utilities that both technical as less technical people can use to perform “cyber” operations. We know that the description sounds very vague and is quite general but that’s because this tool can do almost everything! Want to decode hexadecimals or base64? CyberChef can do it! What about using RSA to sign a message? The tool has got you covered! Parsing a QR code? CyberChef! Making HTTP calls and parsing the content? CyberChef is the way to go!
CyberChef in use
CyberChef is a tool that can fully be used from the browser! An installation is not needed when using the version hosted at https://gchq.github.io/CyberChef.
However, it is possible to get a local instance of CyberChef up and running and it is incredibly easy. Just follow the recipe:
Download a release from https://github.com/gchq/CyberChef/releases.
Unzip the downloaded CyberChef_vX.X.X.zip file.
Open the CyberChef_vX.X.X.html file with your favorite browser.
That’s it! You now have CyberChef running locally. Could it be any easier?
In this section, we’re going to take a look at the user interface (UI) and how we can use CyberChef to build recipes.
CyberChef overview
Let’s start off with the input and output textboxes covering the right side of your screen. These fields are self-explanatory; we give CyberChef some input, it performs operations on the input and returns some output.
But CyberChef can do much more than just taking in text. In fact, it can use any kind of file as input. Using the selectors, we can import files and folders for the tool to act upon. In the output pane, we can also choose to download the output as a file. On top of that, we’re allowed to have multiple tabs of input or output for when one just isn’t enough.
Now that the input is defined, let’s talk about how we are going to cook it. On the left side, you can see an incredibly extensive list of operations you can use. How do you use them? You do that by creating a recipe. Just like with a recipe in cooking, you will define a set of actions that need to happen on the input to get a specific output.
Do this by dragging the building blocks into the recipe pane. Some building blocks require extra info such as a key, separator and such which can also be defined in the recipe pane.
You’re now ready to start creating some cool recipes on your own!
Let’s take a closer look at some of the operations and sections CyberChef has to offer to see what we have to work with! Note that this list is not extensive at all. There are too many operations to cover but we highly suggest you take some time to look through all of them to get a feel of the power CyberChef can offer you.
If there is one operation that you need to be aware of, then it’s the magic block. This is the cheat-code to hacking and incredibly useful if you don’t know what kind of data you’re dealing with. It will attempt to find the structure behind the data and will show you all the outcomes it deems possibly useful. All of this will happen ‘automagically’!
Magic will attempt to detect encoding schemes such as base64, hexadecimal and more by their predictable structure. It will look for magic byte sequences to identify hidden files and the entropy will be calculated to review the structuredness of the data. CyberChef will perform a byte frequency analysis to identify languages and it will brute force logical operations such as XOR to find suitable candidates.
The real power of this building block comes from the fact that CyberChef will not only do a shallow operation, as in only trying everything once. It will go deeper and reattempt the magic operation on each result. The amount of times this occurs is dependent on the depth parameter.
This magic operation is one to try on any data you have available. Who knows what structure is lying deep down in there!
Magic operation
AES, DES, Blowfish, XOR, Affine, Bcrypt, Enigma, JWT, …; this range of operations is amazing to quickly be able to encrypt or decrypt data. All of these encryptions can be done in any programming language but in CyberChef you can perform them so quickly; it really is a drag-and-drop and done!
That is also what the tool was made for; being able to quickly play around with various things to then have a proof of concept that can be scripted together.
Need to make an HTTP call and quickly act upon its output? Use this block, parse the headers, search through the output and link it up with the other blocks to do some amazing things.
HTTP Request operation
Have a big dump of unstructured data and want to extract IPs, domains, URLs, dates, email addresses and more? Then the extractors are what you need!
Extract IP addresses operation
CSV to JSON
JPATH expression
Extract EXIF
Zip & unzip
Analyse hash
Syntax highlighting
Script beautifying
Render image
Extract files
Entropy
Disassemble
Detect file type
…
The sky really is the limit with what you can build with these blocks but here is an example of how you could use CyberChef to aid in your day-to-day bug bounty hunting!
Recipe for resolving a list of domain names
All of these amazing tools we use on the daily have to have a creator, someone or some group of people who came up with the brilliant idea. In the case of CyberChef, the creator is GCHQ. Never heard of it? Well it’s a government intelligence agency, in fact, it’s the UK’s Government Communications Headquarters.
What was their goal? To make data analysis and operations on data accessible for everybody by making it as easy as drag-and-dropping building blocks. Try it out yourself and see if they’ve achieved their goal!
CyberChef is the perfect tool to quickly and efficiently work with data. You can perform countless of actions and are able to tie them together to get more advanced recipes together. More and more operations are being added and this tool is only getting better.
Be sure to create some recipes of your own and share them with us. If you would like to recommend a tool for us to cover next week, then be sure to let us know down below! Also be sure to check out all the previous Hacker Tools articles, such as the last one on GoBuster.
Did you know that there is a video accompanying this article?
Hacker Tools video
Top 4 new attack vectors in web application targets
October 29, 2024