Guida Rapida a CyberChef

📋 Copy All CyberChef Commands 📄 Generate CyberChef PDF Guide

CyberChef è un'applicazione web per crittografia, codifica, compressione e analisi dei dati. Conosciuto come "Il Coltellino Svizzero Digitale", permette agli analisti di sicurezza di eseguire complesse trasformazioni di dati attraverso un'interfaccia semplice di drag-and-drop, rendendolo prezioso per l'analisi di malware, forensica e sfide CTF. ## Installazione e Configurazione ### Applicazione Web **Accesso Online:**

# Official hosted version
https://gchq.github.io/CyberChef/

# Alternative mirrors
https://cyberchef.org/
https://icyberchef.com/

### Installazione Locale **Installazione Docker:**

# Pull official Docker image
docker pull mpepping/cyberchef

# Run CyberChef locally
docker run -d -p 8080:8080 mpepping/cyberchef

# Access at http://localhost:8080

**Installazione Node.js:**

# Clone repository
git clone https://github.com/gchq/CyberChef.git
cd CyberChef

# Install dependencies
npm install

# Build application
npm run build

# Start development server
npm start

# Access at http://localhost:8080

**Eseguibile Standalone:**

# Download pre-built releases
wget https://github.com/gchq/CyberChef/releases/download/v9.55.0/CyberChef_v9.55.0.zip

# Extract and run
unzip CyberChef_v9.55.0.zip
cd CyberChef_v9.55.0
python3 -m http.server 8080

## Panoramica dell'Interfaccia ### Componenti Principali **Pannello Ricette:** - Trascina operazioni dalla lista delle operazioni - Configura parametri delle operazioni - Riordina operazioni trascinando - Salva e carica ricette **Pannello Input:** - Incolla o digita dati di input - Carica file (trascina e rilascia) - Carica dati da URL - Opzioni di formato input (testo, esadecimale, base64) **Pannello Output:** - Visualizza risultati delle trasformazioni - Scarica output come file - Copia negli appunti - Opzioni multiple di formato output **Lista Operazioni:** - Cerca operazioni per nome - Sfoglia per categoria - Preferiti per accesso rapido - Cronologia operazioni recenti ## Codifica e Decodifica ### Operazioni Base64 **Codifica Base64:**

Operation: To Base64
Input: Hello World
Output: SGVsbG8gV29ybGQ=

# With custom alphabet
Operation: To Base64
Alphabet: Custom
Input: sensitive data

**Decodifica Base64:**

Operation: From Base64
Input: SGVsbG8gV29ybGQ=
Output: Hello World

# Handle invalid characters
Operation: From Base64
Remove non-alphabet chars: true

**Varianti Base64:**

# Base32 encoding
Operation: To Base32
Input: Hello World
Output: JBSWY3DPEBLW64TMMQ======

# Base58 encoding (Bitcoin)
Operation: To Base58
Input: Hello World
Output: JxF12TrwUP45BMd

# Base85 encoding
Operation: To Base85
Input: Hello World
Output: 87cURD]j7BEbo80

### Codifica URL **Codifica URL:**

Operation: URL Encode
Input: hello world!@#$%
Output: hello%20world%21%40%23%24%25

# Encode all characters
Operation: URL Encode
Encode all chars: true

**Decodifica URL:**

Operation: URL Decode
Input: hello%20world%21%40%23%24%25
Output: hello world!@#$%

### Codifica HTML **Codifica Entità HTML:**

Operation: To HTML Entity
Input: <script>alert('XSS')</script>
Output: &lt;script&gt;alert(&#39;XSS&#39;)&lt;/script&gt;

# Named entities only
Operation: To HTML Entity
Named entities: true

**Decodifica Entità HTML:**

Operation: From HTML Entity
Input: <script>alert('XSS')</script>
Output: <script>alert('XSS')</script>

## Crittografia e Decrittografia ### Crittografia Simmetrica **Crittografia AES:**

Operation: AES Encrypt
Mode: CBC
Key: 16-byte key here
IV: 16-byte IV here
Input: Secret message
Output: Encrypted data

# Different modes
Mode: ECB, CBC, CFB, OFB, GCM
Key format: Hex, UTF8, Latin1, Base64

**Decrittografia AES:**

Operation: AES Decrypt
Mode: CBC
Key: 16-byte key here
IV: 16-byte IV here
Input: Encrypted data
Output: Secret message

**DES/3DES:**

Operation: DES Encrypt
Mode: CBC
Key: 8-byte key
IV: 8-byte IV
Input: Data to encrypt

Operation: Triple DES Encrypt
Mode: CBC
Key: 24-byte key
IV: 8-byte IV

### Funzioni Hash **Hash Comuni:**

# MD5 Hash
Operation: MD5
Input: Hello World
Output: b10a8db164e0754105b7a99be72e3fe5

# SHA-1 Hash
Operation: SHA1
Input: Hello World
Output: 0a4d55a8d778e5022fab701977c5d840bbc486d0

# SHA-256 Hash
Operation: SHA2
Size: 256
Input: Hello World
Output: a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e

**HMAC:**

Operation: HMAC
Hash function: SHA256
Key: secret-key
Input: message to authenticate
Output: HMAC value

### Attacchi Password **Analisi Hash:**

Operation: Analyse hash
Input: 5d41402abc4b2a76b9719d911017c592
Output: Possible hash types: MD5, NTLM

# Hash identifier
Operation: Hash identifier
Input: $2b$12$...
Output: bcrypt hash detected

**Attacco a Dizionario:**

# Generate wordlist
Operation: Generate wordlist
Type: Bruteforce
Charset: abcdefghijklmnopqrstuvwxyz
Min length: 4
Max length: 8

# Compare with hash
Operation: Compare hashes
Hash type: MD5
Target hash: 5d41402abc4b2a76b9719d911017c592

Would you like me to continue with the remaining translations for sections 3-20?``` Operation: Frequency distribution Input: ATTACKATDAWN Output: Character frequency chart # Letter frequency analysis Operation: Chi squared Input: Encrypted text Output: Chi-squared values for different shifts ```**Analisi dell'Entropia:**

Operation: Entropy
Input: Random data vs compressed data
Output: Entropy value (0-8 bits)

# Detect compression/encryption
High entropy (>7): Likely encrypted/compressed
Low entropy (``<4): Likely plain text
```**Estrazione di Stringhe:**

Operation: Strings Min length: 4 Input: Binary file data Output: Printable strings # Extract specific patterns Operation: Regular expression Pattern: [a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]\\\{2,\\\} Input: Text with email addresses ```### Analisi Binaria **Operazioni Esadecimali:**

Operation: To Hex
Delimiter: Space
Input: Hello World
Output: 48 65 6c 6c 6f 20 57 6f 72 6c 64

Operation: From Hex
Delimiter: Auto
Input: 48656c6c6f20576f726c64
Output: Hello World
```**Operazioni Binarie:**

Operation: To Binary Delimiter: Space Input: Hello Output: 01001000 01100101 01101100 01101100 01101111 # XOR operations Operation: XOR Key: secret Key format: UTF8 Input: Data to XOR ```**Analisi dei File:**

Operation: File type
Input: File header bytes
Output: Detected file type

# Extract file signatures
Operation: Extract file paths
Input: Binary data
Output: Embedded file paths

# Detect embedded files
Operation: Binwalk
Input: Firmware or binary file
Output: Embedded file locations
```## Forensica e Analisi di Malware

### Analisi di Rete

**Operazioni su Indirizzi IP:**

Operation: Parse IP range Input: 192.168.1.0/24 Output: List of IP addresses # GeoIP lookup Operation: GeoIP lookup Input: 8.8.8.8 Output: Location information # DNS operations Operation: DNS over HTTPS Query type: A Domain: example.com ```**Analisi URL:**

Operation: URL decode
Input: Encoded URL
Output: Decoded URL

# Parse URL components
Operation: Parse URI
Input: https://example.com:8080/path?param=value
Output: Protocol, host, port, path, query

# Defang URLs
Operation: Defang URL
Input: http://malicious-site.com
Output: hxxp://malicious-site[.]com
```### Analisi dei Log

**Parsing dei Log:**

Operation: Parse log file Format: Apache Common Log Input: 127.0.0.1 - - [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif HTTP/1.0" 200 2326 # Extract timestamps Operation: Extract dates Input: Log entries with various date formats Output: Standardized timestamps # Parse Windows Event Logs Operation: Parse Windows Event Log Input: XML event log data Output: Structured event information ```**Analisi Temporale:**

Operation: Sort
Sort by: Timestamp
Input: Multiple log entries
Output: Chronologically sorted events

# Time zone conversion
Operation: Change datetime format
Input format: DD/MM/YYYY HH:mm:ss
Output format: ISO 8601
Timezone: UTC
```### Steganografia

**Steganografia di Immagini:**

Operation: Extract LSB Input: Image file Bit plane: 0 (LSB) Output: Hidden data # Extract EXIF data Operation: Extract EXIF Input: JPEG image Output: Metadata information # Image analysis Operation: View Bit Plane Bit: 0 Input: Suspicious image Output: LSB visualization ```**Steganografia di Testo:**

Operation: Detect hidden text
Method: Zero-width characters
Input: Text with hidden content
Output: Extracted hidden message

# Whitespace steganography
Operation: Whitespace
Action: Decode
Input: Text with hidden whitespace patterns
```## Crittanalisi

### Cifrari Classici

**Cifrario di Cesare:**

Operation: ROT13 Input: HELLO WORLD Output: URYYB JBEYQ # Variable rotation Operation: Caesar cipher Amount: 7 Direction: Encrypt Input: ATTACK AT DAWN Output: HAAHJR HA KHDV ```**Cifrari a Sostituzione:**

Operation: Substitution cipher
Plaintext alphabet: ABCDEFGHIJKLMNOPQRSTUVWXYZ
Ciphertext alphabet: ZYXWVUTSRQPONMLKJIHGFEDCBA
Input: HELLO
Output: SVOOL

# Atbash cipher
Operation: Atbash cipher
Input: HELLO WORLD
Output: SVOOL DLIOW
```**Cifrario di Vigenère:**

Operation: Vigenère encode Key: SECRET Input: HELLO WORLD Output: ZINCS AIDVN # Vigenère decode Operation: Vigenère decode Key: SECRET Input: ZINCS AIDVN Output: HELLO WORLD ```### Crittanalisi Moderna **Analisi di Frequenza:**

Operation: Frequency distribution
Show percentages: true
Input: Encrypted text
Output: Character frequency analysis

# Index of Coincidence
Operation: Index of Coincidence
Input: Ciphertext
Output: IC value (indicates monoalphabetic vs polyalphabetic)
```**Recupero Chiave:**

Operation: Kasiski examination Input: Vigenère ciphertext Output: Probable key lengths # Brute force Caesar Operation: ROT13 brute force Input: Encrypted text Output: All possible rotations ```## Automazione e Scripting ### Creazione di Ricette **Salvataggio Ricette:**

# Create reusable recipes
1. Build operation chain
2. Click "Save recipe"
3. Name and describe recipe
4. Share recipe link

# Example: Malware deobfuscation recipe
Operations:
1. From Base64
2. Gunzip
3. From Hex
4. AES Decrypt (key: known_key)
```**Condivisione Ricette:**

# Share via URL Recipe URL contains encoded operations Example: https://gchq.github.io/CyberChef/#recipe=To_Base64('A-Za-z0-9%2B/%3D') # Export/Import recipes File format: JSON Contains: Operations, parameters, input/output ```### Elaborazione in Batch **Input Multipli:**

# Process multiple files
1. Upload multiple files
2. Apply recipe to all
3. Download results as ZIP

# Batch text processing
Input: Multiple lines of data
Recipe: Applied to each line
Output: Processed results
```**Script di Automazione:**```javascript
// CyberChef API usage (Node.js)
const chef = require("cyberchef");

// Create recipe
const recipe = new chef.Recipe(
    new chef.operations.ToBase64(),
    new chef.operations.MD5()
);

// Process data
const result = chef.bake("Hello World", recipe);
console.log(result.toString());

## Tecniche Avanzate ### Operazioni Personalizzate **Operazione Magica:**

Operation: Magic
Input: Unknown encoded data
Output: Automatically detected and decoded

# Intensive mode
Intensive: true
Extensive language support: true
Depth: 3 (number of operations to try)

**Operazione Fork:**

Operation: Fork
Split on: \n (newline)
Merge: true
Input: Multiple lines of data
Recipe: Applied to each line separately
Output: Combined results

### Visualizzazione Dati **Generazione di Grafici:**

Operation: Scatter chart
X values: Column 1
Y values: Column 2
Input: CSV data
Output: Interactive scatter plot

# Hex dump visualization
Operation: To Hexdump
Width: 16
Upper case: true
Include ASCII: true

**Diagrammi di Rete:**

Operation: Generate network diagram
Input: Network connection logs
Output: Visual network topology

# Timeline visualization
Operation: Timeline
Date field: timestamp
Event field: event_type
Input: Log data with timestamps

## Esempi di Integrazione ### Integrazione SIEM **Integrazione Splunk:**

# Use CyberChef for data preprocessing
# Example: Decode base64 logs before indexing

# Splunk search command
|eval decoded_data = base64decode(encoded_field)
|eval hash_value = md5(decoded_data)

# CyberChef recipe equivalent:
# 1. From Base64
# 2. MD5

**Integrazione ELK Stack:**

\\\{
  "processors": [
    \\\{
      "script": \\\{
        "source": "ctx.decoded = Base64.getDecoder().decode(ctx.encoded_field)"
      \\\}
    \\\}
  ]
\\\}

### Intelligence delle Minacce **Estrazione IOC:**

# Extract indicators from reports
Recipe:
1. Regular expression (IP addresses)
2. Regular expression (Domain names)
3. Regular expression (File hashes)
4. Defang URLs
5. Format as CSV

Input: Threat intelligence report
Output: Structured IOC list

**Analisi Malware:**

# Deobfuscate malware samples
Recipe:
1. From Base64
2. Gunzip
3. From Hex
4. XOR (key: 0x42)
5. Extract strings
6. Regular expression (URLs/IPs)

Input: Obfuscated malware
Output: Deobfuscated code with IOCs

### CTF e Sfide **Ricette CTF Comuni:**

# Multi-layer encoding
Recipe:
1. From Base64
2. URL Decode
3. From Hex
4. ROT13
5. Atbash cipher

# Steganography analysis
Recipe:
1. Extract LSB
2. From Binary
3. Gunzip
4. From Base64

# Cryptanalysis chain
Recipe:
1. Frequency distribution
2. Index of Coincidence
3. Kasiski examination
4. Vigenère decode (guessed key)

## Risoluzione dei Problemi ### Problemi Comuni **Problemi di Prestazioni:**

# Large file processing
- Use "Drop bytes" to reduce size
- Process in chunks using "Split"
- Disable auto-bake for large operations

# Memory issues
- Clear input/output regularly
- Use streaming operations when available
- Restart browser if memory usage high

**Problemi di Codifica:**

# Character encoding problems
- Check input encoding (UTF-8, Latin1, etc.)
- Use "Detect encoding" operation
- Convert between encodings as needed

# Binary data handling
- Use hex input for binary data
- Check byte order (little/big endian)
- Verify file headers and signatures

**Debug di Ricette:**

# Debug failed recipes
- Check each operation individually
- Verify input format matches expected
- Use "To Hex" to inspect intermediate results
- Check operation parameters

# Error messages
- "Invalid input": Check data format
- "Key length": Verify encryption key size
- "Parse error": Check syntax for regex/JSON

### Best Practice **Sviluppo di Ricette:**

# Start simple
1. Test each operation individually
2. Build recipe step by step
3. Verify intermediate outputs
4. Document recipe purpose

# Error handling
- Use "Drop bytes" to handle extra data
- Add "Try" operations for uncertain steps
- Include fallback operations

**Considerazioni di Sicurezza:**

# Sensitive data handling
- Use local installation for sensitive data
- Clear browser cache after use
- Avoid cloud-hosted instances for secrets
- Use HTTPS for web access

# Data validation
- Verify output makes sense
- Cross-check with other tools
- Test with known good data
- Document assumptions and limitations

Questo cheatsheet completo di CyberChef copre tecniche di trasformazione dei dati, crittanalisi, forensica e automazione per un'analisi e investigazione di sicurezza efficace.