دليل CyberChef المختصر

📋 Copy All CyberChef Commands 📄 Generate CyberChef PDF Guide

CyberChef هو تطبيق ويب للتشفير والترميز والضغط وتحليل البيانات. المعروف بـ “السكين السويسري الإلكتروني”، يمكّن محللي الأمن من إجراء تحويلات معقدة للبيانات من خلال واجهة سحب وإفلات بسيطة، مما يجعله لا غنى عنه في تحليل البرامج الضارة والتحقيقات الرقمية وتحديات CTF.

التثبيت والإعداد

تطبيق الويب

الوصول عبر الإنترنت:

# Official hosted version
https://gchq.github.io/CyberChef/

# Alternative mirrors
https://cyberchef.org/
https://icyberchef.com/

التثبيت المحلي

تثبيت Docker:

# Pull official Docker image
docker pull mpepping/cyberchef

# Run CyberChef locally
docker run -d -p 8080:8080 mpepping/cyberchef

# Access at http://localhost:8080

تثبيت Node.js:

# Clone repository
git clone https://github.com/gchq/CyberChef.git
cd CyberChef

# Install dependencies
npm install

# Build application
npm run build

# Start development server
npm start

# Access at http://localhost:8080

التطبيق المستقل:

# Download pre-built releases
wget https://github.com/gchq/CyberChef/releases/download/v9.55.0/CyberChef_v9.55.0.zip

# Extract and run
unzip CyberChef_v9.55.0.zip
cd CyberChef_v9.55.0
python3 -m http.server 8080

نظرة عامة على الواجهة

المكونات الرئيسية

لوحة الوصفات:

• سحب العمليات من قائمة العمليات
• تكوين معلمات العمليات
• إعادة ترتيب العمليات عن طريق السحب
• حفظ وتحميل الوصفات

لوحة الإدخال:

• لصق أو كتابة بيانات الإدخال
• تحميل الملفات (السحب والإفلات)
• تحميل البيانات من عناوين URL
• خيارات تنسيق الإدخال (نص، سداسي، base64)

لوحة الإخراج:

• عرض نتائج التحويل
• تنزيل الإخراج كملف
• النسخ إلى الحافظة
• خيارات تنسيق متعددة للإخراج

قائمة العمليات:

• البحث عن العمليات بالاسم
• التصفح حسب الفئة
• المفضلة للوصول السريع
• سجل العمليات الأخيرة

الترميز وفك الترميز

عمليات Base64

ترميز Base64:

Operation: To Base64
Input: Hello World
Output: SGVsbG8gV29ybGQ=

# With custom alphabet
Operation: To Base64
Alphabet: Custom
Input: sensitive data

فك ترميز Base64:

Operation: From Base64
Input: SGVsbG8gV29ybGQ=
Output: Hello World

# Handle invalid characters
Operation: From Base64
Remove non-alphabet chars: true

متغيرات Base64:

# Base32 encoding
Operation: To Base32
Input: Hello World
Output: JBSWY3DPEBLW64TMMQ======

# Base58 encoding (Bitcoin)
Operation: To Base58
Input: Hello World
Output: JxF12TrwUP45BMd

# Base85 encoding
Operation: To Base85
Input: Hello World
Output: 87cURD]j7BEbo80

ترميز URL

ترميز URL:

Operation: URL Encode
Input: hello world!@#$%
Output: hello%20world%21%40%23%24%25

# Encode all characters
Operation: URL Encode
Encode all chars: true

فك ترميز URL:

Operation: URL Decode
Input: hello%20world%21%40%23%24%25
Output: hello world!@#$%

ترميز HTML

ترميز كيانات HTML:

Operation: To HTML Entity
Input: <script>alert('XSS')</script>
Output: &lt;script&gt;alert(&#39;XSS&#39;)&lt;/script&gt;

# Named entities only
Operation: To HTML Entity
Named entities: true

فك ترميز كيانات HTML:

Operation: From HTML Entity
Input: <script>alert('XSS')</script>
Output: <script>alert('XSS')</script>

التشفير وفك التشفير

التشفير المتماثل

تشفير AES:

Operation: AES Encrypt
Mode: CBC
Key: 16-byte key here
IV: 16-byte IV here
Input: Secret message
Output: Encrypted data

# Different modes
Mode: ECB, CBC, CFB, OFB, GCM
Key format: Hex, UTF8, Latin1, Base64

فك تشفير AES:

Operation: AES Decrypt
Mode: CBC
Key: 16-byte key here
IV: 16-byte IV here
Input: Encrypted data
Output: Secret message

DES/3DES:

Operation: DES Encrypt
Mode: CBC
Key: 8-byte key
IV: 8-byte IV
Input: Data to encrypt

Operation: Triple DES Encrypt
Mode: CBC
Key: 24-byte key
IV: 8-byte IV

دوال التجزئة

التجزئات الشائعة:

# MD5 Hash
Operation: MD5
Input: Hello World
Output: b10a8db164e0754105b7a99be72e3fe5

# SHA-1 Hash
Operation: SHA1
Input: Hello World
Output: 0a4d55a8d778e5022fab701977c5d840bbc486d0

# SHA-256 Hash
Operation: SHA2
Size: 256
Input: Hello World
Output: a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e

HMAC:

Operation: HMAC
Hash function: SHA256
Key: secret-key
Input: message to authenticate
Output: HMAC value

كسر كلمة المرور

تحليل التجزئة:

Operation: Analyse hash
Input: 5d41402abc4b2a76b9719d911017c592
Output: Possible hash types: MD5, NTLM

# Hash identifier
Operation: Hash identifier
Input: $2b$12$...
Output: bcrypt hash detected

هجوم القاموس:

# Generate wordlist
Operation: Generate wordlist
Type: Bruteforce
Charset: abcdefghijklmnopqrstuvwxyz
Min length: 4
Max length: 8

# Compare with hash
Operation: Compare hashes
Hash type: MD5
Target hash: 5d41402abc4b2a76b9719d911017c592

تحليل البيانات

تحليل النص

التحليل التكراري:

The translation preserves the markdown formatting, keeps technical terms in English, and maintains the overall structure of the original text.``` Operation: Frequency distribution Input: ATTACKATDAWN Output: Character frequency chart

Letter frequency analysis

Operation: Chi squared Input: Encrypted text Output: Chi-squared values for different shifts

Operation: Entropy Input: Random data vs compressed data Output: Entropy value (0-8 bits)

Detect compression/encryption

High entropy (>7): Likely encrypted/compressed Low entropy (“<4): Likely plain text

Operation: Strings Min length: 4 Input: Binary file data Output: Printable strings

Extract specific patterns

Operation: Regular expression Pattern: [a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+.[a-zA-Z]\{2,\} Input: Text with email addresses

**عمليات السداسي عشر:**

Operation: To Hex Delimiter: Space Input: Hello World Output: 48 65 6c 6c 6f 20 57 6f 72 6c 64

Operation: From Hex Delimiter: Auto Input: 48656c6c6f20576f726c64 Output: Hello World

Operation: To Binary Delimiter: Space Input: Hello Output: 01001000 01100101 01101100 01101100 01101111

XOR operations

Operation: XOR Key: secret Key format: UTF8 Input: Data to XOR

Operation: File type Input: File header bytes Output: Detected file type

Extract file signatures

Operation: Extract file paths Input: Binary data Output: Embedded file paths

Detect embedded files

Operation: Binwalk Input: Firmware or binary file Output: Embedded file locations

### تحليل الشبكات

**عمليات عناوين IP:**

Operation: Parse IP range Input: 192.168.1.0/24 Output: List of IP addresses

GeoIP lookup

Operation: GeoIP lookup Input: 8.8.8.8 Output: Location information

DNS operations

Operation: DNS over HTTPS Query type: A Domain: example.com

Operation: URL decode Input: Encoded URL Output: Decoded URL

Parse URL components

Operation: Parse URI Input: https://example.com:8080/path?param=value Output: Protocol, host, port, path, query

Defang URLs

Operation: Defang URL Input: http://malicious-site.com Output: hxxp://malicious-site[.]com

**تحليل السجلات:**

Operation: Parse log file Format: Apache Common Log Input: 127.0.0.1 - - [10/Oct/2000:13:55:36 -0700] “GET /apache_pb.gif HTTP/1.0” 200 2326

Extract timestamps

Operation: Extract dates Input: Log entries with various date formats Output: Standardized timestamps

Parse Windows Event Logs

Operation: Parse Windows Event Log Input: XML event log data Output: Structured event information

Operation: Sort Sort by: Timestamp Input: Multiple log entries Output: Chronologically sorted events

Time zone conversion

Operation: Change datetime format Input format: DD/MM/YYYY HH:mm:ss Output format: ISO 8601 Timezone: UTC

**التستر في الصور:**

Operation: Extract LSB Input: Image file Bit plane: 0 (LSB) Output: Hidden data

Extract EXIF data

Operation: Extract EXIF Input: JPEG image Output: Metadata information

Image analysis

Operation: View Bit Plane Bit: 0 Input: Suspicious image Output: LSB visualization

Operation: Detect hidden text Method: Zero-width characters Input: Text with hidden content Output: Extracted hidden message

Whitespace steganography

Operation: Whitespace Action: Decode Input: Text with hidden whitespace patterns

### التشفير الكلاسيكي

**تشفير قيصر:**

Operation: ROT13 Input: HELLO WORLD Output: URYYB JBEYQ

Variable rotation

Operation: Caesar cipher Amount: 7 Direction: Encrypt Input: ATTACK AT DAWN Output: HAAHJR HA KHDV

Operation: Substitution cipher Plaintext alphabet: ABCDEFGHIJKLMNOPQRSTUVWXYZ Ciphertext alphabet: ZYXWVUTSRQPONMLKJIHGFEDCBA Input: HELLO Output: SVOOL

Atbash cipher

Operation: Atbash cipher Input: HELLO WORLD Output: SVOOL DLIOW

Operation: Vigenère encode Key: SECRET Input: HELLO WORLD Output: ZINCS AIDVN

Vigenère decode

Operation: Vigenère decode Key: SECRET Input: ZINCS AIDVN Output: HELLO WORLD

**التحليل التكراري:**

Operation: Frequency distribution Show percentages: true Input: Encrypted text Output: Character frequency analysis

Index of Coincidence

Operation: Index of Coincidence Input: Ciphertext Output: IC value (indicates monoalphabetic vs polyalphabetic)

Operation: Kasiski examination Input: Vigenère ciphertext Output: Probable key lengths

Brute force Caesar

Operation: ROT13 brute force Input: Encrypted text Output: All possible rotations

### إنشاء الوصفات

**حفظ الوصفات:**

Create reusable recipes

1. Build operation chain
2. Click “Save recipe”
3. Name and describe recipe
4. Share recipe link

Example: Malware deobfuscation recipe

Operations:

1. From Base64
2. Gunzip
3. From Hex
4. AES Decrypt (key: known_key)

Share via URL

Recipe URL contains encoded operations Example: https://gchq.github.io/CyberChef/#recipe=To_Base64(‘A-Za-z0-9%2B/%3D’)

Export/Import recipes

File format: JSON Contains: Operations, parameters, input/output

**مدخلات متعددة:**

Process multiple files

1. Upload multiple files
2. Apply recipe to all
3. Download results as ZIP

Batch text processing

Input: Multiple lines of data Recipe: Applied to each line Output: Processed results **سكريبتات الأتمتة:**javascript // CyberChef API usage (Node.js) const chef = require(“cyberchef”);

// Create recipe const recipe = new chef.Recipe( new chef.operations.ToBase64(), new chef.operations.MD5() );

// Process data const result = chef.bake(“Hello World”, recipe); console.log(result.toString());

Operation: Magic Input: Unknown encoded data Output: Automatically detected and decoded

Intensive mode

Intensive: true Extensive language support: true Depth: 3 (number of operations to try)

Operation: Fork Split on: \n (newline) Merge: true Input: Multiple lines of data Recipe: Applied to each line separately Output: Combined results

Operation: Scatter chart X values: Column 1 Y values: Column 2 Input: CSV data Output: Interactive scatter plot

Hex dump visualization

Operation: To Hexdump Width: 16 Upper case: true Include ASCII: true

Operation: Generate network diagram Input: Network connection logs Output: Visual network topology

Timeline visualization

Operation: Timeline Date field: timestamp Event field: event_type Input: Log data with timestamps

```bash
# Use CyberChef for data preprocessing
# Example: Decode base64 logs before indexing

# Splunk search command
|eval decoded_data = base64decode(encoded_field)
|eval hash_value = md5(decoded_data)

# CyberChef recipe equivalent:
# 1. From Base64
# 2. MD5
```## أمثلة التكامل
```json
\\\{
  "processors": [
    \\\{
      "script": \\\{
        "source": "ctx.decoded = Base64.getDecoder().decode(ctx.encoded_field)"
      \\\}
    \\\}
  ]
\\\}
```### تكامل SIEM

Extract indicators from reports

Recipe:

1. Regular expression (IP addresses)
2. Regular expression (Domain names)
3. Regular expression (File hashes)
4. Defang URLs
5. Format as CSV

Input: Threat intelligence report Output: Structured IOC list

Deobfuscate malware samples

Recipe:

1. From Base64
2. Gunzip
3. From Hex
4. XOR (key: 0x42)
5. Extract strings
6. Regular expression (URLs/IPs)

Input: Obfuscated malware Output: Deobfuscated code with IOCs

Multi-layer encoding

Recipe:

1. From Base64
2. URL Decode
3. From Hex
4. ROT13
5. Atbash cipher

Steganography analysis

Recipe:

1. Extract LSB
2. From Binary
3. Gunzip
4. From Base64

Cryptanalysis chain

Recipe:

1. Frequency distribution
2. Index of Coincidence
3. Kasiski examination
4. Vigenère decode (guessed key)

Large file processing

• Use “Drop bytes” to reduce size
• Process in chunks using “Split”
• Disable auto-bake for large operations

Memory issues

• Clear input/output regularly
• Use streaming operations when available
• Restart browser if memory usage high

Character encoding problems

• Check input encoding (UTF-8, Latin1, etc.)
• Use “Detect encoding” operation
• Convert between encodings as needed

Binary data handling

• Use hex input for binary data
• Check byte order (little/big endian)
• Verify file headers and signatures

Debug failed recipes

• Check each operation individually
• Verify input format matches expected
• Use “To Hex” to inspect intermediate results
• Check operation parameters

Error messages

• “Invalid input”: Check data format
• “Key length”: Verify encryption key size
• “Parse error”: Check syntax for regex/JSON

Start simple

1. Test each operation individually
2. Build recipe step by step
3. Verify intermediate outputs
4. Document recipe purpose

Error handling

• Use “Drop bytes” to handle extra data
• Add “Try” operations for uncertain steps
• Include fallback operations

Sensitive data handling

• Use local installation for sensitive data
• Clear browser cache after use
• Avoid cloud-hosted instances for secrets
• Use HTTPS for web access

Data validation

• Verify output makes sense
• Cross-check with other tools
• Test with known good data
• Document assumptions and limitations