Aide-mémoire CyberChef
CyberChef est une application web pour le chiffrement, l’encodage, la compression et l’analyse de données. Connu comme le “Couteau Suisse Cyber”, il permet aux analystes de sécurité d’effectuer des transformations de données complexes via une interface simple de glisser-déposer, ce qui le rend inestimable pour l’analyse de logiciels malveillants, la forensique et les défis CTF.
Installation et Configuration
Application Web
Accès en Ligne :
# Official hosted version
https://gchq.github.io/CyberChef/
# Alternative mirrors
https://cyberchef.org/
https://icyberchef.com/Installation Locale
Installation Docker :
# Pull official Docker image
docker pull mpepping/cyberchef
# Run CyberChef locally
docker run -d -p 8080:8080 mpepping/cyberchef
# Access at http://localhost:8080Installation Node.js :
# Clone repository
git clone https://github.com/gchq/CyberChef.git
cd CyberChef
# Install dependencies
npm install
# Build application
npm run build
# Start development server
npm start
# Access at http://localhost:8080Exécutable Autonome :
# Download pre-built releases
wget https://github.com/gchq/CyberChef/releases/download/v9.55.0/CyberChef_v9.55.0.zip
# Extract and run
unzip CyberChef_v9.55.0.zip
cd CyberChef_v9.55.0
python3 -m http.server 8080Vue d’Ensemble de l’Interface
Composants Principaux
Panneau de Recettes :
- Glisser des opérations depuis la liste des opérations
- Configurer les paramètres des opérations
- Réorganiser les opérations par glisser
- Sauvegarder et charger des recettes
Panneau d’Entrée :
- Coller ou saisir des données d’entrée
- Télécharger des fichiers (glisser-déposer)
- Charger des données depuis des URL
- Options de format d’entrée (texte, hex, base64)
Panneau de Sortie :
- Afficher les résultats de transformation
- Télécharger la sortie en tant que fichier
- Copier dans le presse-papiers
- Options de format de sortie multiples
Liste des Opérations :
- Rechercher des opérations par nom
- Parcourir par catégorie
- Favoris pour un accès rapide
- Historique des opérations récentes
Encodage et Décodage
Opérations Base64
Encodage Base64 :
Operation: To Base64
Input: Hello World
Output: SGVsbG8gV29ybGQ=
# With custom alphabet
Operation: To Base64
Alphabet: Custom
Input: sensitive dataDécodage Base64 :
Operation: From Base64
Input: SGVsbG8gV29ybGQ=
Output: Hello World
# Handle invalid characters
Operation: From Base64
Remove non-alphabet chars: trueVariantes Base64 :
# Base32 encoding
Operation: To Base32
Input: Hello World
Output: JBSWY3DPEBLW64TMMQ======
# Base58 encoding (Bitcoin)
Operation: To Base58
Input: Hello World
Output: JxF12TrwUP45BMd
# Base85 encoding
Operation: To Base85
Input: Hello World
Output: 87cURD]j7BEbo80Encodage URL
Encodage URL :
Operation: URL Encode
Input: hello world!@#$%
Output: hello%20world%21%40%23%24%25
# Encode all characters
Operation: URL Encode
Encode all chars: trueDécodage URL :
Operation: URL Decode
Input: hello%20world%21%40%23%24%25
Output: hello world!@#$%Encodage HTML
Encodage Entité HTML :
Operation: To HTML Entity
Input: <script>alert('XSS')</script>
Output: <script>alert('XSS')</script>
# Named entities only
Operation: To HTML Entity
Named entities: trueDécodage Entité HTML :
Operation: From HTML Entity
Input: <script>alert('XSS')</script>
Output: <script>alert('XSS')</script>Chiffrement et Déchiffrement
Chiffrement Symétrique
Chiffrement AES :
Operation: AES Encrypt
Mode: CBC
Key: 16-byte key here
IV: 16-byte IV here
Input: Secret message
Output: Encrypted data
# Different modes
Mode: ECB, CBC, CFB, OFB, GCM
Key format: Hex, UTF8, Latin1, Base64Déchiffrement AES :
Operation: AES Decrypt
Mode: CBC
Key: 16-byte key here
IV: 16-byte IV here
Input: Encrypted data
Output: Secret messageDES/3DES :
Operation: DES Encrypt
Mode: CBC
Key: 8-byte key
IV: 8-byte IV
Input: Data to encrypt
Operation: Triple DES Encrypt
Mode: CBC
Key: 24-byte key
IV: 8-byte IVFonctions de Hachage
Hachages Courants :
# MD5 Hash
Operation: MD5
Input: Hello World
Output: b10a8db164e0754105b7a99be72e3fe5
# SHA-1 Hash
Operation: SHA1
Input: Hello World
Output: 0a4d55a8d778e5022fab701977c5d840bbc486d0
# SHA-256 Hash
Operation: SHA2
Size: 256
Input: Hello World
Output: a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146eHMAC :
Operation: HMAC
Hash function: SHA256
Key: secret-key
Input: message to authenticate
Output: HMAC valueCassage de Mot de Passe
Analyse de Hachage :
Operation: Analyse hash
Input: 5d41402abc4b2a76b9719d911017c592
Output: Possible hash types: MD5, NTLM
# Hash identifier
Operation: Hash identifier
Input: $2b$12$...
Output: bcrypt hash detectedAttaque par Dictionnaire :
# Generate wordlist
Operation: Generate wordlist
Type: Bruteforce
Charset: abcdefghijklmnopqrstuvwxyz
Min length: 4
Max length: 8
# Compare with hash
Operation: Compare hashes
Hash type: MD5
Target hash: 5d41402abc4b2a76b9719d911017c592Analyse de Données
Analyse de Texte
Analyse de Fréquence :``` Operation: Frequency distribution Input: ATTACKATDAWN Output: Character frequency chart
Letter frequency analysis
Operation: Chi squared Input: Encrypted text Output: Chi-squared values for different shifts
Operation: Entropy Input: Random data vs compressed data Output: Entropy value (0-8 bits)
Detect compression/encryption
High entropy (>7): Likely encrypted/compressed Low entropy (“<4): Likely plain text
Operation: Strings Min length: 4 Input: Binary file data Output: Printable strings
Extract specific patterns
Operation: Regular expression Pattern: [a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+.[a-zA-Z]\{2,\} Input: Text with email addresses
**Opérations Hexadécimales :**Operation: To Hex Delimiter: Space Input: Hello World Output: 48 65 6c 6c 6f 20 57 6f 72 6c 64
Operation: From Hex Delimiter: Auto Input: 48656c6c6f20576f726c64 Output: Hello World
Operation: To Binary Delimiter: Space Input: Hello Output: 01001000 01100101 01101100 01101100 01101111
XOR operations
Operation: XOR Key: secret Key format: UTF8 Input: Data to XOR
Operation: File type Input: File header bytes Output: Detected file type
Extract file signatures
Operation: Extract file paths Input: Binary data Output: Embedded file paths
Detect embedded files
Operation: Binwalk Input: Firmware or binary file Output: Embedded file locations
### Analyse Réseau
**Opérations d'Adresses IP :**Operation: Parse IP range Input: 192.168.1.0/24 Output: List of IP addresses
GeoIP lookup
Operation: GeoIP lookup Input: 8.8.8.8 Output: Location information
DNS operations
Operation: DNS over HTTPS Query type: A Domain: example.com
Operation: URL decode Input: Encoded URL Output: Decoded URL
Parse URL components
Operation: Parse URI Input: https://example.com:8080/path?param=value Output: Protocol, host, port, path, query
Defang URLs
Operation: Defang URL Input: http://malicious-site.com Output: hxxp://malicious-site[.]com
**Parsing de Logs :**Operation: Parse log file Format: Apache Common Log Input: 127.0.0.1 - - [10/Oct/2000:13:55:36 -0700] “GET /apache_pb.gif HTTP/1.0” 200 2326
Extract timestamps
Operation: Extract dates Input: Log entries with various date formats Output: Standardized timestamps
Parse Windows Event Logs
Operation: Parse Windows Event Log Input: XML event log data Output: Structured event information
Operation: Sort Sort by: Timestamp Input: Multiple log entries Output: Chronologically sorted events
Time zone conversion
Operation: Change datetime format Input format: DD/MM/YYYY HH:mm:ss Output format: ISO 8601 Timezone: UTC
**Stéganographie d'Image :**Operation: Extract LSB Input: Image file Bit plane: 0 (LSB) Output: Hidden data
Extract EXIF data
Operation: Extract EXIF Input: JPEG image Output: Metadata information
Image analysis
Operation: View Bit Plane Bit: 0 Input: Suspicious image Output: LSB visualization
Operation: Detect hidden text Method: Zero-width characters Input: Text with hidden content Output: Extracted hidden message
Whitespace steganography
Operation: Whitespace Action: Decode Input: Text with hidden whitespace patterns
### Chiffres Classiques
**Chiffre de César :**Operation: ROT13 Input: HELLO WORLD Output: URYYB JBEYQ
Variable rotation
Operation: Caesar cipher Amount: 7 Direction: Encrypt Input: ATTACK AT DAWN Output: HAAHJR HA KHDV
Operation: Substitution cipher Plaintext alphabet: ABCDEFGHIJKLMNOPQRSTUVWXYZ Ciphertext alphabet: ZYXWVUTSRQPONMLKJIHGFEDCBA Input: HELLO Output: SVOOL
Atbash cipher
Operation: Atbash cipher Input: HELLO WORLD Output: SVOOL DLIOW
Operation: Vigenère encode Key: SECRET Input: HELLO WORLD Output: ZINCS AIDVN
Vigenère decode
Operation: Vigenère decode Key: SECRET Input: ZINCS AIDVN Output: HELLO WORLD
**Analyse de Fréquence :**Operation: Frequency distribution Show percentages: true Input: Encrypted text Output: Character frequency analysis
Index of Coincidence
Operation: Index of Coincidence Input: Ciphertext Output: IC value (indicates monoalphabetic vs polyalphabetic)
Operation: Kasiski examination Input: Vigenère ciphertext Output: Probable key lengths
Brute force Caesar
Operation: ROT13 brute force Input: Encrypted text Output: All possible rotations
### Création de Recettes
**Sauvegarder les Recettes :**Create reusable recipes
- Build operation chain
- Click “Save recipe”
- Name and describe recipe
- Share recipe link
Example: Malware deobfuscation recipe
Operations:
- From Base64
- Gunzip
- From Hex
- AES Decrypt (key: known_key)
Share via URL
Recipe URL contains encoded operations Example: https://gchq.github.io/CyberChef/#recipe=To_Base64(‘A-Za-z0-9%2B/%3D’)
Export/Import recipes
File format: JSON Contains: Operations, parameters, input/output
**Entrées Multiples :**Process multiple files
- Upload multiple files
- Apply recipe to all
- Download results as ZIP
Batch text processing
Input: Multiple lines of data
Recipe: Applied to each line
Output: Processed results
**Scripts d'Automatisation :**javascript
// CyberChef API usage (Node.js)
const chef = require(“cyberchef”);
// Create recipe const recipe = new chef.Recipe( new chef.operations.ToBase64(), new chef.operations.MD5() );
// Process data const result = chef.bake(“Hello World”, recipe); console.log(result.toString());
## Techniques AvancéesOperation: Magic Input: Unknown encoded data Output: Automatically detected and decoded
Intensive mode
Intensive: true Extensive language support: true Depth: 3 (number of operations to try)
**Opération Fork:**Operation: Fork Split on: \n (newline) Merge: true Input: Multiple lines of data Recipe: Applied to each line separately Output: Combined results
### Visualisation de DonnéesOperation: Scatter chart X values: Column 1 Y values: Column 2 Input: CSV data Output: Interactive scatter plot
Hex dump visualization
Operation: To Hexdump Width: 16 Upper case: true Include ASCII: true
**Génération de Graphiques:**Operation: Generate network diagram Input: Network connection logs Output: Visual network topology
Timeline visualization
Operation: Timeline Date field: timestamp Event field: event_type Input: Log data with timestamps
**Diagrammes de Réseau:**
```bash
# Use CyberChef for data preprocessing
# Example: Decode base64 logs before indexing
# Splunk search command
|eval decoded_data = base64decode(encoded_field)
|eval hash_value = md5(decoded_data)
# CyberChef recipe equivalent:
# 1. From Base64
# 2. MD5Exemples d’Intégration
\\\{
"processors": [
\\\{
"script": \\\{
"source": "ctx.decoded = Base64.getDecoder().decode(ctx.encoded_field)"
\\\}
\\\}
]
\\\}Intégration ELK Stack:
# Extract indicators from reports
Recipe:
1. Regular expression (IP addresses)
2. Regular expression (Domain names)
3. Regular expression (File hashes)
4. Defang URLs
5. Format as CSV
Input: Threat intelligence report
Output: Structured IOC listRenseignement sur les Menaces
# Deobfuscate malware samples
Recipe:
1. From Base64
2. Gunzip
3. From Hex
4. XOR (key: 0x42)
5. Extract strings
6. Regular expression (URLs/IPs)
Input: Obfuscated malware
Output: Deobfuscated code with IOCsAnalyse de Logiciels Malveillants:
# Multi-layer encoding
Recipe:
1. From Base64
2. URL Decode
3. From Hex
4. ROT13
5. Atbash cipher
# Steganography analysis
Recipe:
1. Extract LSB
2. From Binary
3. Gunzip
4. From Base64
# Cryptanalysis chain
Recipe:
1. Frequency distribution
2. Index of Coincidence
3. Kasiski examination
4. Vigenère decode (guessed key)CTF et Défis
# Large file processing
- Use "Drop bytes" to reduce size
- Process in chunks using "Split"
- Disable auto-bake for large operations
# Memory issues
- Clear input/output regularly
- Use streaming operations when available
- Restart browser if memory usage highDépannage
# Character encoding problems
- Check input encoding (UTF-8, Latin1, etc.)
- Use "Detect encoding" operation
- Convert between encodings as needed
# Binary data handling
- Use hex input for binary data
- Check byte order (little/big endian)
- Verify file headers and signaturesProblèmes d’Encodage:
# Debug failed recipes
- Check each operation individually
- Verify input format matches expected
- Use "To Hex" to inspect intermediate results
- Check operation parameters
# Error messages
- "Invalid input": Check data format
- "Key length": Verify encryption key size
- "Parse error": Check syntax for regex/JSONDébogage de Recette:
# Start simple
1. Test each operation individually
2. Build recipe step by step
3. Verify intermediate outputs
4. Document recipe purpose
# Error handling
- Use "Drop bytes" to handle extra data
- Add "Try" operations for uncertain steps
- Include fallback operationsMeilleures Pratiques
# Sensitive data handling
- Use local installation for sensitive data
- Clear browser cache after use
- Avoid cloud-hosted instances for secrets
- Use HTTPS for web access
# Data validation
- Verify output makes sense
- Cross-check with other tools
- Test with known good data
- Document assumptions and limitationsConsidérations de Sécurité:
Ce guide complet de CyberChef couvre les techniques de transformation de données, de cryptanalyse, de forensique et d’automatisation pour une analyse et une investigation de sécurité efficaces.