CyberChef Cheatsheet

📋 Kopieren Alle CyberChefkommandos>/button> 📄 CyberChef PDF Guide generieren

CyberChef ist eine Web-Anwendung für Verschlüsselung, Codierung, Kompression und Datenanalyse. Bekannt als "The Cyber Swiss Army Knife", ermöglicht es Sicherheitsanalysten, komplexe Datentransformationen durch eine einfache Drag-and-Drop-Schnittstelle durchzuführen, wodurch es für Malware-Analyse, Forensik und CTF-Herausforderungen unschätzbar ist. ## Installation und Inbetriebnahme ### Web-Anwendung ** Online-Zugang:**

# Official hosted version
https://gchq.github.io/CyberChef/

# Alternative mirrors
https://cyberchef.org/
https://icyberchef.com/
```_

### Lokale Installation

**Docker Installation:**
```bash
# Pull official Docker image
docker pull mpepping/cyberchef

# Run CyberChef locally
docker run -d -p 8080:8080 mpepping/cyberchef

# Access at http://localhost:8080
```_

**Node.js Installation:**
```bash
# Clone repository
git clone https://github.com/gchq/CyberChef.git
cd CyberChef

# Install dependencies
npm install

# Build application
npm run build

# Start development server
npm start

# Access at http://localhost:8080
```_

** Standalone Ausführbar: **
```bash
# Download pre-built releases
wget https://github.com/gchq/CyberChef/releases/download/v9.55.0/CyberChef_v9.55.0.zip

# Extract and run
unzip CyberChef_v9.55.0.zip
cd CyberChef_v9.55.0
python3 -m http.server 8080
```_

## Schnittstellenübersicht

### Hauptkomponenten

**Recipe Panel: **
- Drag-Operationen aus der Operationsliste
- Betriebsparameter konfigurieren
- Reord-Operationen durch Ziehen
- Rezepte speichern und laden

**Input Panel:**
- Einfügen oder Typ-Eingabedaten
- Dateien hochladen (drag und drop)
- Daten von URLs laden
- Eingabeformat Optionen (Text, Hex, base64)

**Output Panel:**
- Transformationsergebnisse anzeigen
- Ausgabe als Datei herunterladen
- Kopieren in Clipboard
- Mehrere Ausgabeformatoptionen

**Berufsliste:**
- Suchvorgänge nach Namen
- Suchen nach Kategorie
- Favoriten für schnellen Zugriff
- Aktuelle Betriebsgeschichte

## Kodierung und Dekodierung

### Basis64 Operationen

**Base64 Encode:**

Operation: To Base64 Input: Hello World Output: SGVsbG8gV29ybGQ= # With custom alphabet Operation: To Base64 Alphabet: Custom Input: sensitive data

**Base64 Decode:**

Operation: From Base64 Input: SGVsbG8gV29ybGQ= Output: Hello World # Handle invalid characters Operation: From Base64 Remove non-alphabet chars: true

**Base64 Varianten:**

# Base32 encoding Operation: To Base32 Input: Hello World Output: JBSWY3DPEBLW64TMMQ====== # Base58 encoding (Bitcoin) Operation: To Base58 Input: Hello World Output: JxF12TrwUP45BMd # Base85 encoding Operation: To Base85 Input: Hello World Output: 87cURD]j7BEbo80

### URL Kodierung

**URL Encode:**

Operation: URL Encode Input: hello world!@#$% Output: hello%20world%21%40%23%24%25 # Encode all characters Operation: URL Encode Encode all chars: true

**URL Decode:**

Operation: URL Decode Input: hello%20world%21%40%23%24%25 Output: hello world!@#$%

### HTML Encoding

**HTML Entity Encode:**

Operation: To HTML Entity Input: Output: <script>alert('XSS')</script> # Named entities only Operation: To HTML Entity Named entities: true

**HTML Entity Decode:**

Operation: From HTML Entity Input: <script>alert('XSS')</script> Output:

## Verschlüsselung und Entschlüsselung

### Symmetrische Verschlüsselung

**AES Verschlüsselung:**

Operation: AES Encrypt Mode: CBC Key: 16-byte key here IV: 16-byte IV here Input: Secret message Output: Encrypted data # Different modes Mode: ECB, CBC, CFB, OFB, GCM Key format: Hex, UTF8, Latin1, Base64

**AES Entschlüsselung:**

Operation: AES Decrypt Mode: CBC Key: 16-byte key here IV: 16-byte IV here Input: Encrypted data Output: Secret message

**DES/3DES:**

Operation: DES Encrypt Mode: CBC Key: 8-byte key IV: 8-byte IV Input: Data to encrypt Operation: Triple DES Encrypt Mode: CBC Key: 24-byte key IV: 8-byte IV

### Hash Funktionen

**Common Hashes: **

# MD5 Hash Operation: MD5 Input: Hello World Output: b10a8db164e0754105b7a99be72e3fe5 # SHA-1 Hash Operation: SHA1 Input: Hello World Output: 0a4d55a8d778e5022fab701977c5d840bbc486d0 # SHA-256 Hash Operation: SHA2 Size: 256 Input: Hello World Output: a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e

**HMAC:**

Operation: HMAC Hash function: SHA256 Key: secret-key Input: message to authenticate Output: HMAC value

### Passwort Cracking

**Hash Analyse:**

Operation: Analyse hash Input: 5d41402abc4b2a76b9719d911017c592 Output: Possible hash types: MD5, NTLM # Hash identifier Operation: Hash identifier Input: $2b$12$... Output: bcrypt hash detected

**Dictionary Attack:**

# Generate wordlist Operation: Generate wordlist Type: Bruteforce Charset: abcdefghijklmnopqrstuvwxyz Min length: 4 Max length: 8 # Compare with hash Operation: Compare hashes Hash type: MD5 Target hash: 5d41402abc4b2a76b9719d911017c592

## Datenanalyse

### Textanalyse

**Frequenzanalyse:**

Operation: Frequency distribution Input: ATTACKATDAWN Output: Character frequency chart # Letter frequency analysis Operation: Chi squared Input: Encrypted text Output: Chi-squared values for different shifts

**Entropy Analyse:**

Operation: Entropy Input: Random data vs compressed data Output: Entropy value (0-8 bits) # Detect compression/encryption High entropy (>7): Likely encrypted/compressed Low entropy (``<4): Likely plain text

**String Extraction:**

Operation: Strings Min length: 4 Input: Binary file data Output: Printable strings # Extract specific patterns Operation: Regular expression Pattern: [a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]\\\{2,\\\} Input: Text with email addresses

### Binäranalyse

**Hex Operationen:**

Operation: To Hex Delimiter: Space Input: Hello World Output: 48 65 6c 6c 6f 20 57 6f 72 6c 64 Operation: From Hex Delimiter: Auto Input: 48656c6c6f20576f726c64 Output: Hello World

**Binary Operations:**

Operation: To Binary Delimiter: Space Input: Hello Output: 01001000 01100101 01101100 01101100 01101111 # XOR operations Operation: XOR Key: secret Key format: UTF8 Input: Data to XOR

**Dateianalyse:**

Operation: File type Input: File header bytes Output: Detected file type # Extract file signatures Operation: Extract file paths Input: Binary data Output: Embedded file paths # Detect embedded files Operation: Binwalk Input: Firmware or binary file Output: Embedded file locations

## Forensik und Malware-Analyse

### Netzwerkanalyse

**IP Adresse Operationen:**

Operation: Parse IP range Input: 192.168.1.0/24 Output: List of IP addresses # GeoIP lookup Operation: GeoIP lookup Input: 8.8.8.8 Output: Location information # DNS operations Operation: DNS over HTTPS Query type: A Domain: example.com

**URL-Analyse:**

Operation: URL decode Input: Encoded URL Output: Decoded URL # Parse URL components Operation: Parse URI Input: https://example.com:8080/path?param=value Output: Protocol, host, port, path, query # Defang URLs Operation: Defang URL Input: http://malicious-site.com Output: hxxp://malicious-site[.]com

### Analyse der Ergebnisse

** Anmeldung:**

Operation: Parse log file Format: Apache Common Log Input: 127.0.0.1 - - [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif HTTP/1.0" 200 2326 # Extract timestamps Operation: Extract dates Input: Log entries with various date formats Output: Standardized timestamps # Parse Windows Event Logs Operation: Parse Windows Event Log Input: XML event log data Output: Structured event information

** Timeline Analyse:**

Operation: Sort Sort by: Timestamp Input: Multiple log entries Output: Chronologically sorted events # Time zone conversion Operation: Change datetime format Input format: DD/MM/YYYY HH:mm:ss Output format: ISO 8601 Timezone: UTC

### Steganbau

**Bild Steganographie:**

Operation: Extract LSB Input: Image file Bit plane: 0 (LSB) Output: Hidden data # Extract EXIF data Operation: Extract EXIF Input: JPEG image Output: Metadata information # Image analysis Operation: View Bit Plane Bit: 0 Input: Suspicious image Output: LSB visualization

**Text Steganographie:**

Operation: Detect hidden text Method: Zero-width characters Input: Text with hidden content Output: Extracted hidden message # Whitespace steganography Operation: Whitespace Action: Decode Input: Text with hidden whitespace patterns

## Kryptanalyse

### Classical Ciphers

**Caesar Cipher: **

Operation: ROT13 Input: HELLO WORLD Output: URYYB JBEYQ # Variable rotation Operation: Caesar cipher Amount: 7 Direction: Encrypt Input: ATTACK AT DAWN Output: HAAHJR HA KHDV

** Substitution Ciphers:**

Operation: Substitution cipher Plaintext alphabet: ABCDEFGHIJKLMNOPQRSTUVWXYZ Ciphertext alphabet: ZYXWVUTSRQPONMLKJIHGFEDCBA Input: HELLO Output: SVOOL # Atbash cipher Operation: Atbash cipher Input: HELLO WORLD Output: SVOOL DLIOW

**Vigenère Cipher: **

Operation: Vigenère encode Key: SECRET Input: HELLO WORLD Output: ZINCS AIDVN # Vigenère decode Operation: Vigenère decode Key: SECRET Input: ZINCS AIDVN Output: HELLO WORLD

### Moderne Kryptanalyse

**Frequenzanalyse:**

Operation: Frequency distribution Show percentages: true Input: Encrypted text Output: Character frequency analysis # Index of Coincidence Operation: Index of Coincidence Input: Ciphertext Output: IC value (indicates monoalphabetic vs polyalphabetic)

**Key Recovery:**

Operation: Kasiski examination Input: Vigenère ciphertext Output: Probable key lengths # Brute force Caesar Operation: ROT13 brute force Input: Encrypted text Output: All possible rotations

## Automatisierung und Schrift

### Rezept Kreation

**Save Rezepte:**

# Create reusable recipes 1. Build operation chain 2. Click "Save recipe" 3. Name and describe recipe 4. Share recipe link # Example: Malware deobfuscation recipe Operations: 1. From Base64 2. Gunzip 3. From Hex 4. AES Decrypt (key: known_key)

**Recipe Sharing: **

# Share via URL Recipe URL contains encoded operations Example: https://gchq.github.io/CyberChef/#recipe=To_Base64('A-Za-z0-9%2B/%3D') # Export/Import recipes File format: JSON Contains: Operations, parameters, input/output

### Batch Processing

** Multiple Inputs:**

# Process multiple files 1. Upload multiple files 2. Apply recipe to all 3. Download results as ZIP # Batch text processing Input: Multiple lines of data Recipe: Applied to each line Output: Processed results

** Automatische Skripte:**
```javascript
// CyberChef API usage (Node.js)
const chef = require("cyberchef");

// Create recipe
const recipe = new chef.Recipe(
    new chef.operations.ToBase64(),
    new chef.operations.MD5()
);

// Process data
const result = chef.bake("Hello World", recipe);
console.log(result.toString());
```_

## Erweiterte Techniken

### Zollsätze

** Magische Operation:**

Operation: Magic Input: Unknown encoded data Output: Automatically detected and decoded # Intensive mode Intensive: true Extensive language support: true Depth: 3 (number of operations to try)

**Fork Operation:**

Operation: Fork Split on: \n (newline) Merge: true Input: Multiple lines of data Recipe: Applied to each line separately Output: Combined results

### Datenvisualisierung

**Chart Generation:**

Operation: Scatter chart X values: Column 1 Y values: Column 2 Input: CSV data Output: Interactive scatter plot # Hex dump visualization Operation: To Hexdump Width: 16 Upper case: true Include ASCII: true

**Netzwerkdiagramme:**

Operation: Generate network diagram Input: Network connection logs Output: Visual network topology # Timeline visualization Operation: Timeline Date field: timestamp Event field: event_type Input: Log data with timestamps

## Integrationsbeispiele

### SIEM Integration

**Splunk Integration:**
```bash
# Use CyberChef for data preprocessing
# Example: Decode base64 logs before indexing

# Splunk search command
|eval decoded_data = base64decode(encoded_field)
|eval hash_value = md5(decoded_data)

# CyberChef recipe equivalent:
# 1. From Base64
# 2. MD5
```_

**ELK Stack Integration:**
```json
\\\{
  "processors": [
    \\\{
      "script": \\\{
        "source": "ctx.decoded = Base64.getDecoder().decode(ctx.encoded_field)"
      \\\}
    \\\}
  ]
\\\}
```_

### Threat Intelligence

**IOC Extraktion:**

# Extract indicators from reports Recipe: 1. Regular expression (IP addresses) 2. Regular expression (Domain names) 3. Regular expression (File hashes) 4. Defang URLs 5. Format as CSV Input: Threat intelligence report Output: Structured IOC list

**Malware Analyse:**

# Deobfuscate malware samples Recipe: 1. From Base64 2. Gunzip 3. From Hex 4. XOR (key: 0x42) 5. Extract strings 6. Regular expression (URLs/IPs) Input: Obfuscated malware Output: Deobfuscated code with IOCs

### CTF und Herausforderungen

**Common CTF Rezepte:**

# Multi-layer encoding Recipe: 1. From Base64 2. URL Decode 3. From Hex 4. ROT13 5. Atbash cipher # Steganography analysis Recipe: 1. Extract LSB 2. From Binary 3. Gunzip 4. From Base64 # Cryptanalysis chain Recipe: 1. Frequency distribution 2. Index of Coincidence 3. Kasiski examination 4. Vigenère decode (guessed key)

## Fehlerbehebung

### Gemeinsame Themen

**Leistungsprobleme:**

# Large file processing - Use "Drop bytes" to reduce size - Process in chunks using "Split" - Disable auto-bake for large operations # Memory issues - Clear input/output regularly - Use streaming operations when available - Restart browser if memory usage high

** Kodierungsfragen:**

# Character encoding problems - Check input encoding (UTF-8, Latin1, etc.) - Use "Detect encoding" operation - Convert between encodings as needed # Binary data handling - Use hex input for binary data - Check byte order (little/big endian) - Verify file headers and signatures

**Recipe Debugging: **

# Debug failed recipes - Check each operation individually - Verify input format matches expected - Use "To Hex" to inspect intermediate results - Check operation parameters # Error messages - "Invalid input": Check data format - "Key length": Verify encryption key size - "Parse error": Check syntax for regex/JSON

### Best Practices

**Rezeptentwicklung:**

# Start simple 1. Test each operation individually 2. Build recipe step by step 3. Verify intermediate outputs 4. Document recipe purpose # Error handling - Use "Drop bytes" to handle extra data - Add "Try" operations for uncertain steps - Include fallback operations

**Sicherheitsbedenken:**

# Sensitive data handling - Use local installation for sensitive data - Clear browser cache after use - Avoid cloud-hosted instances for secrets - Use HTTPS for web access # Data validation - Verify output makes sense - Cross-check with other tools - Test with known good data - Document assumptions and limitations ```_

Dieses umfassende CyberChef-Catsheet umfasst Datentransformation, Kryptanalyse, Forensik und Automatisierungstechniken für effektive Sicherheitsanalyse und Untersuchung.