CyberChef Cheatsheet

CyberChef is a web application for encryption, encoding, compression, and data analysis. Known as "The Cyber Swiss Army Knife," it enables security analysts to perform complex data transformations through a simple drag-and-drop interface, making it invaluable for malware analysis, forensics, and CTF challenges.

Installation and Setup

Web Application

Online Access:

# Official hosted version
https://gchq.github.io/CyberChef/

# Alternative mirrors
https://cyberchef.org/
https://icyberchef.com/

Local Installation

Docker Installation:

# Pull official Docker image
docker pull mpepping/cyberchef

# Run CyberChef locally
docker run -d -p 8080:8080 mpepping/cyberchef

# Access at http://localhost:8080

Node.js Installation:

# Clone repository
git clone https://github.com/gchq/CyberChef.git
cd CyberChef

# Install dependencies
npm install

# Build application
npm run build

# Start development server
npm start

# Access at http://localhost:8080

Standalone Executable:

# Download pre-built releases
wget https://github.com/gchq/CyberChef/releases/download/v9.55.0/CyberChef_v9.55.0.zip

# Extract and run
unzip CyberChef_v9.55.0.zip
cd CyberChef_v9.55.0
python3 -m http.server 8080

Interface Overview

Main Components

Recipe Panel:

• Drag operations from the operations list
• Configure operation parameters
• Reorder operations by dragging
• Save and load recipes

Input Panel:

• Paste or type input data
• Upload files (drag and drop)
• Load data from URLs
• Input format options (text, hex, base64)

Output Panel:

• View transformation results
• Download output as file
• Copy to clipboard
• Multiple output format options

Operations List:

• Search operations by name
• Browse by category
• Favorites for quick access
• Recent operations history

Encoding and Decoding

Base64 Operations

Base64 Encode:

Operation: To Base64
Input: Hello World
Output: SGVsbG8gV29ybGQ=

# With custom alphabet
Operation: To Base64
Alphabet: Custom
Input: sensitive data

Base64 Decode:

Operation: From Base64
Input: SGVsbG8gV29ybGQ=
Output: Hello World

# Handle invalid characters
Operation: From Base64
Remove non-alphabet chars: true

Base64 Variants:

# Base32 encoding
Operation: To Base32
Input: Hello World
Output: JBSWY3DPEBLW64TMMQ======

# Base58 encoding (Bitcoin)
Operation: To Base58
Input: Hello World
Output: JxF12TrwUP45BMd

# Base85 encoding
Operation: To Base85
Input: Hello World
Output: 87cURD]j7BEbo80

URL Encoding

URL Encode:

Operation: URL Encode
Input: hello world!@#$%
Output: hello%20world%21%40%23%24%25

# Encode all characters
Operation: URL Encode
Encode all chars: true

URL Decode:

Operation: URL Decode
Input: hello%20world%21%40%23%24%25
Output: hello world!@#$%

HTML Encoding

HTML Entity Encode:

Operation: To HTML Entity
Input: <script>alert('XSS')</script>
Output: &lt;script&gt;alert(&#39;XSS&#39;)&lt;/script&gt;

# Named entities only
Operation: To HTML Entity
Named entities: true

HTML Entity Decode:

Operation: From HTML Entity
Input: <script>alert('XSS')</script>
Output: <script>alert('XSS')</script>

Encryption and Decryption

Symmetric Encryption

AES Encryption:

Operation: AES Encrypt
Mode: CBC
Key: 16-byte key here
IV: 16-byte IV here
Input: Secret message
Output: Encrypted data

# Different modes
Mode: ECB, CBC, CFB, OFB, GCM
Key format: Hex, UTF8, Latin1, Base64

AES Decryption:

Operation: AES Decrypt
Mode: CBC
Key: 16-byte key here
IV: 16-byte IV here
Input: Encrypted data
Output: Secret message

DES/3DES:

Operation: DES Encrypt
Mode: CBC
Key: 8-byte key
IV: 8-byte IV
Input: Data to encrypt

Operation: Triple DES Encrypt
Mode: CBC
Key: 24-byte key
IV: 8-byte IV

Hash Functions

Common Hashes:

# MD5 Hash
Operation: MD5
Input: Hello World
Output: b10a8db164e0754105b7a99be72e3fe5

# SHA-1 Hash
Operation: SHA1
Input: Hello World
Output: 0a4d55a8d778e5022fab701977c5d840bbc486d0

# SHA-256 Hash
Operation: SHA2
Size: 256
Input: Hello World
Output: a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e

HMAC:

Operation: HMAC
Hash function: SHA256
Key: secret-key
Input: message to authenticate
Output: HMAC value

Password Cracking

Hash Analysis:

Operation: Analyse hash
Input: 5d41402abc4b2a76b9719d911017c592
Output: Possible hash types: MD5, NTLM

# Hash identifier
Operation: Hash identifier
Input: $2b$12$...
Output: bcrypt hash detected

Dictionary Attack:

# Generate wordlist
Operation: Generate wordlist
Type: Bruteforce
Charset: abcdefghijklmnopqrstuvwxyz
Min length: 4
Max length: 8

# Compare with hash
Operation: Compare hashes
Hash type: MD5
Target hash: 5d41402abc4b2a76b9719d911017c592

Data Analysis

Text Analysis

Frequency Analysis:

Operation: Frequency distribution
Input: ATTACKATDAWN
Output: Character frequency chart

# Letter frequency analysis
Operation: Chi squared
Input: Encrypted text
Output: Chi-squared values for different shifts

Entropy Analysis:

Operation: Entropy
Input: Random data vs compressed data
Output: Entropy value (0-8 bits)

# Detect compression/encryption
High entropy (>7): Likely encrypted/compressed
Low entropy (<4): Likely plain text

String Extraction:

Operation: Strings
Min length: 4
Input: Binary file data
Output: Printable strings

# Extract specific patterns
Operation: Regular expression
Pattern: [a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}
Input: Text with email addresses

Binary Analysis

Hex Operations:

Operation: To Hex
Delimiter: Space
Input: Hello World
Output: 48 65 6c 6c 6f 20 57 6f 72 6c 64

Operation: From Hex
Delimiter: Auto
Input: 48656c6c6f20576f726c64
Output: Hello World

Binary Operations:

Operation: To Binary
Delimiter: Space
Input: Hello
Output: 01001000 01100101 01101100 01101100 01101111

# XOR operations
Operation: XOR
Key: secret
Key format: UTF8
Input: Data to XOR

File Analysis:

Operation: File type
Input: File header bytes
Output: Detected file type

# Extract file signatures
Operation: Extract file paths
Input: Binary data
Output: Embedded file paths

# Detect embedded files
Operation: Binwalk
Input: Firmware or binary file
Output: Embedded file locations

Forensics and Malware Analysis

Network Analysis

IP Address Operations:

Operation: Parse IP range
Input: 192.168.1.0/24
Output: List of IP addresses

# GeoIP lookup
Operation: GeoIP lookup
Input: 8.8.8.8
Output: Location information

# DNS operations
Operation: DNS over HTTPS
Query type: A
Domain: example.com

URL Analysis:

Operation: URL decode
Input: Encoded URL
Output: Decoded URL

# Parse URL components
Operation: Parse URI
Input: https://example.com:8080/path?param=value
Output: Protocol, host, port, path, query

# Defang URLs
Operation: Defang URL
Input: http://malicious-site.com
Output: hxxp://malicious-site[.]com

Log Analysis

Log Parsing:

Operation: Parse log file
Format: Apache Common Log
Input: 127.0.0.1 - - [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif HTTP/1.0" 200 2326

# Extract timestamps
Operation: Extract dates
Input: Log entries with various date formats
Output: Standardized timestamps

# Parse Windows Event Logs
Operation: Parse Windows Event Log
Input: XML event log data
Output: Structured event information

Timeline Analysis:

Operation: Sort
Sort by: Timestamp
Input: Multiple log entries
Output: Chronologically sorted events

# Time zone conversion
Operation: Change datetime format
Input format: DD/MM/YYYY HH:mm:ss
Output format: ISO 8601
Timezone: UTC

Steganography

Image Steganography:

Operation: Extract LSB
Input: Image file
Bit plane: 0 (LSB)
Output: Hidden data

# Extract EXIF data
Operation: Extract EXIF
Input: JPEG image
Output: Metadata information

# Image analysis
Operation: View Bit Plane
Bit: 0
Input: Suspicious image
Output: LSB visualization

Text Steganography:

Operation: Detect hidden text
Method: Zero-width characters
Input: Text with hidden content
Output: Extracted hidden message

# Whitespace steganography
Operation: Whitespace
Action: Decode
Input: Text with hidden whitespace patterns

Cryptanalysis

Classical Ciphers

Caesar Cipher:

Operation: ROT13
Input: HELLO WORLD
Output: URYYB JBEYQ

# Variable rotation
Operation: Caesar cipher
Amount: 7
Direction: Encrypt
Input: ATTACK AT DAWN
Output: HAAHJR HA KHDV

Substitution Ciphers:

Operation: Substitution cipher
Plaintext alphabet: ABCDEFGHIJKLMNOPQRSTUVWXYZ
Ciphertext alphabet: ZYXWVUTSRQPONMLKJIHGFEDCBA
Input: HELLO
Output: SVOOL

# Atbash cipher
Operation: Atbash cipher
Input: HELLO WORLD
Output: SVOOL DLIOW

Vigenère Cipher:

Operation: Vigenère encode
Key: SECRET
Input: HELLO WORLD
Output: ZINCS AIDVN

# Vigenère decode
Operation: Vigenère decode
Key: SECRET
Input: ZINCS AIDVN
Output: HELLO WORLD

Modern Cryptanalysis

Frequency Analysis:

Operation: Frequency distribution
Show percentages: true
Input: Encrypted text
Output: Character frequency analysis

# Index of Coincidence
Operation: Index of Coincidence
Input: Ciphertext
Output: IC value (indicates monoalphabetic vs polyalphabetic)

Key Recovery:

Operation: Kasiski examination
Input: Vigenère ciphertext
Output: Probable key lengths

# Brute force Caesar
Operation: ROT13 brute force
Input: Encrypted text
Output: All possible rotations

Automation and Scripting

Recipe Creation

Save Recipes:

# Create reusable recipes
1. Build operation chain
2. Click "Save recipe"
3. Name and describe recipe
4. Share recipe link

# Example: Malware deobfuscation recipe
Operations:
1. From Base64
2. Gunzip
3. From Hex
4. AES Decrypt (key: known_key)

Recipe Sharing:

# Share via URL
Recipe URL contains encoded operations
Example: https://gchq.github.io/CyberChef/#recipe=To_Base64('A-Za-z0-9%2B/%3D')

# Export/Import recipes
File format: JSON
Contains: Operations, parameters, input/output

Batch Processing

Multiple Inputs:

# Process multiple files
1. Upload multiple files
2. Apply recipe to all
3. Download results as ZIP

# Batch text processing
Input: Multiple lines of data
Recipe: Applied to each line
Output: Processed results

Automation Scripts:

// CyberChef API usage (Node.js)
const chef = require("cyberchef");

// Create recipe
const recipe = new chef.Recipe(
    new chef.operations.ToBase64(),
    new chef.operations.MD5()
);

// Process data
const result = chef.bake("Hello World", recipe);
console.log(result.toString());

Advanced Techniques

Custom Operations

Magic Operation:

Operation: Magic
Input: Unknown encoded data
Output: Automatically detected and decoded

# Intensive mode
Intensive: true
Extensive language support: true
Depth: 3 (number of operations to try)

Fork Operation:

Operation: Fork
Split on: \n (newline)
Merge: true
Input: Multiple lines of data
Recipe: Applied to each line separately
Output: Combined results

Data Visualization

Chart Generation:

Operation: Scatter chart
X values: Column 1
Y values: Column 2
Input: CSV data
Output: Interactive scatter plot

# Hex dump visualization
Operation: To Hexdump
Width: 16
Upper case: true
Include ASCII: true

Network Diagrams:

Operation: Generate network diagram
Input: Network connection logs
Output: Visual network topology

# Timeline visualization
Operation: Timeline
Date field: timestamp
Event field: event_type
Input: Log data with timestamps

Integration Examples

SIEM Integration

Splunk Integration:

# Use CyberChef for data preprocessing
# Example: Decode base64 logs before indexing

# Splunk search command
| eval decoded_data = base64decode(encoded_field)
| eval hash_value = md5(decoded_data)

# CyberChef recipe equivalent:
# 1. From Base64
# 2. MD5

ELK Stack Integration:

{
  "processors": [
    {
      "script": {
        "source": "ctx.decoded = Base64.getDecoder().decode(ctx.encoded_field)"
      }
    }
  ]
}

Threat Intelligence

IOC Extraction:

# Extract indicators from reports
Recipe:
1. Regular expression (IP addresses)
2. Regular expression (Domain names)
3. Regular expression (File hashes)
4. Defang URLs
5. Format as CSV

Input: Threat intelligence report
Output: Structured IOC list

Malware Analysis:

# Deobfuscate malware samples
Recipe:
1. From Base64
2. Gunzip
3. From Hex
4. XOR (key: 0x42)
5. Extract strings
6. Regular expression (URLs/IPs)

Input: Obfuscated malware
Output: Deobfuscated code with IOCs

CTF and Challenges

Common CTF Recipes:

# Multi-layer encoding
Recipe:
1. From Base64
2. URL Decode
3. From Hex
4. ROT13
5. Atbash cipher

# Steganography analysis
Recipe:
1. Extract LSB
2. From Binary
3. Gunzip
4. From Base64

# Cryptanalysis chain
Recipe:
1. Frequency distribution
2. Index of Coincidence
3. Kasiski examination
4. Vigenère decode (guessed key)

Troubleshooting

Common Issues

Performance Problems:

# Large file processing
- Use "Drop bytes" to reduce size
- Process in chunks using "Split"
- Disable auto-bake for large operations

# Memory issues
- Clear input/output regularly
- Use streaming operations when available
- Restart browser if memory usage high

Encoding Issues:

# Character encoding problems
- Check input encoding (UTF-8, Latin1, etc.)
- Use "Detect encoding" operation
- Convert between encodings as needed

# Binary data handling
- Use hex input for binary data
- Check byte order (little/big endian)
- Verify file headers and signatures

Recipe Debugging:

# Debug failed recipes
- Check each operation individually
- Verify input format matches expected
- Use "To Hex" to inspect intermediate results
- Check operation parameters

# Error messages
- "Invalid input": Check data format
- "Key length": Verify encryption key size
- "Parse error": Check syntax for regex/JSON

Best Practices

Recipe Development:

# Start simple
1. Test each operation individually
2. Build recipe step by step
3. Verify intermediate outputs
4. Document recipe purpose

# Error handling
- Use "Drop bytes" to handle extra data
- Add "Try" operations for uncertain steps
- Include fallback operations

Security Considerations:

# Sensitive data handling
- Use local installation for sensitive data
- Clear browser cache after use
- Avoid cloud-hosted instances for secrets
- Use HTTPS for web access

# Data validation
- Verify output makes sense
- Cross-check with other tools
- Test with known good data
- Document assumptions and limitations

This comprehensive CyberChef cheatsheet covers data transformation, cryptanalysis, forensics, and automation techniques for effective security analysis and investigation.