CyberChef Cheatsheet
CyberChef is a web application for encryption, encoding, compression, and data analysis. Known as "The Cyber Swiss Army Knife," it enables security analysts to perform complex data transformations through a simple drag-and-drop interface, making it invaluable for malware analysis, forensics, and CTF challenges.
## Installation and Setup
### Web Application
**Online Access:**
# Official hosted version
https://gchq.github.io/CyberChef/
# Alternative mirrors
https://cyberchef.org/
https://icyberchef.com/
# Pull official Docker image
docker pull mpepping/cyberchef
# Run CyberChef locally
docker run -d -p 8080:8080 mpepping/cyberchef
# Access at http://localhost:8080
# Clone repository
git clone https://github.com/gchq/CyberChef.git
cd CyberChef
# Install dependencies
npm install
# Build application
npm run build
# Start development server
npm start
# Access at http://localhost:8080
# Download pre-built releases
wget https://github.com/gchq/CyberChef/releases/download/v9.55.0/CyberChef_v9.55.0.zip
# Extract and run
unzip CyberChef_v9.55.0.zip
cd CyberChef_v9.55.0
python3 -m http.server 8080
Operation: To Base64
Input: Hello World
Output: SGVsbG8gV29ybGQ=
# With custom alphabet
Operation: To Base64
Alphabet: Custom
Input: sensitive data
Operation: From Base64
Input: SGVsbG8gV29ybGQ=
Output: Hello World
# Handle invalid characters
Operation: From Base64
Remove non-alphabet chars: true
# Base32 encoding
Operation: To Base32
Input: Hello World
Output: JBSWY3DPEBLW64TMMQ======
# Base58 encoding (Bitcoin)
Operation: To Base58
Input: Hello World
Output: JxF12TrwUP45BMd
# Base85 encoding
Operation: To Base85
Input: Hello World
Output: 87cURD]j7BEbo80
Operation: URL Encode
Input: hello world!@#$%
Output: hello%20world%21%40%23%24%25
# Encode all characters
Operation: URL Encode
Encode all chars: true
Operation: URL Decode
Input: hello%20world%21%40%23%24%25
Output: hello world!@#$%
Operation: To HTML Entity
Input: <script>alert('XSS')</script>
Output: <script>alert('XSS')</script>
# Named entities only
Operation: To HTML Entity
Named entities: true
Operation: From HTML Entity
Input: <script>alert('XSS')</script>
Output: <script>alert('XSS')</script>
Operation: AES Encrypt
Mode: CBC
Key: 16-byte key here
IV: 16-byte IV here
Input: Secret message
Output: Encrypted data
# Different modes
Mode: ECB, CBC, CFB, OFB, GCM
Key format: Hex, UTF8, Latin1, Base64
Operation: AES Decrypt
Mode: CBC
Key: 16-byte key here
IV: 16-byte IV here
Input: Encrypted data
Output: Secret message
Operation: DES Encrypt
Mode: CBC
Key: 8-byte key
IV: 8-byte IV
Input: Data to encrypt
Operation: Triple DES Encrypt
Mode: CBC
Key: 24-byte key
IV: 8-byte IV
# MD5 Hash
Operation: MD5
Input: Hello World
Output: b10a8db164e0754105b7a99be72e3fe5
# SHA-1 Hash
Operation: SHA1
Input: Hello World
Output: 0a4d55a8d778e5022fab701977c5d840bbc486d0
# SHA-256 Hash
Operation: SHA2
Size: 256
Input: Hello World
Output: a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e
Operation: HMAC
Hash function: SHA256
Key: secret-key
Input: message to authenticate
Output: HMAC value
Operation: Analyse hash
Input: 5d41402abc4b2a76b9719d911017c592
Output: Possible hash types: MD5, NTLM
# Hash identifier
Operation: Hash identifier
Input: $2b$12$...
Output: bcrypt hash detected
# Generate wordlist
Operation: Generate wordlist
Type: Bruteforce
Charset: abcdefghijklmnopqrstuvwxyz
Min length: 4
Max length: 8
# Compare with hash
Operation: Compare hashes
Hash type: MD5
Target hash: 5d41402abc4b2a76b9719d911017c592
Operation: Frequency distribution
Input: ATTACKATDAWN
Output: Character frequency chart
# Letter frequency analysis
Operation: Chi squared
Input: Encrypted text
Output: Chi-squared values for different shifts
Operation: Entropy
Input: Random data vs compressed data
Output: Entropy value (0-8 bits)
# Detect compression/encryption
High entropy (>7): Likely encrypted/compressed
Low entropy (``<4): Likely plain text
Operation: Strings
Min length: 4
Input: Binary file data
Output: Printable strings
# Extract specific patterns
Operation: Regular expression
Pattern: [a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]\\\{2,\\\}
Input: Text with email addresses
Operation: To Hex
Delimiter: Space
Input: Hello World
Output: 48 65 6c 6c 6f 20 57 6f 72 6c 64
Operation: From Hex
Delimiter: Auto
Input: 48656c6c6f20576f726c64
Output: Hello World
Operation: To Binary
Delimiter: Space
Input: Hello
Output: 01001000 01100101 01101100 01101100 01101111
# XOR operations
Operation: XOR
Key: secret
Key format: UTF8
Input: Data to XOR
Operation: File type
Input: File header bytes
Output: Detected file type
# Extract file signatures
Operation: Extract file paths
Input: Binary data
Output: Embedded file paths
# Detect embedded files
Operation: Binwalk
Input: Firmware or binary file
Output: Embedded file locations
Operation: Parse IP range
Input: 192.168.1.0/24
Output: List of IP addresses
# GeoIP lookup
Operation: GeoIP lookup
Input: 8.8.8.8
Output: Location information
# DNS operations
Operation: DNS over HTTPS
Query type: A
Domain: example.com
Operation: URL decode
Input: Encoded URL
Output: Decoded URL
# Parse URL components
Operation: Parse URI
Input: https://example.com:8080/path?param=value
Output: Protocol, host, port, path, query
# Defang URLs
Operation: Defang URL
Input: http://malicious-site.com
Output: hxxp://malicious-site[.]com
Operation: Parse log file
Format: Apache Common Log
Input: 127.0.0.1 - - [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif HTTP/1.0" 200 2326
# Extract timestamps
Operation: Extract dates
Input: Log entries with various date formats
Output: Standardized timestamps
# Parse Windows Event Logs
Operation: Parse Windows Event Log
Input: XML event log data
Output: Structured event information
Operation: Sort
Sort by: Timestamp
Input: Multiple log entries
Output: Chronologically sorted events
# Time zone conversion
Operation: Change datetime format
Input format: DD/MM/YYYY HH:mm:ss
Output format: ISO 8601
Timezone: UTC
Operation: Extract LSB
Input: Image file
Bit plane: 0 (LSB)
Output: Hidden data
# Extract EXIF data
Operation: Extract EXIF
Input: JPEG image
Output: Metadata information
# Image analysis
Operation: View Bit Plane
Bit: 0
Input: Suspicious image
Output: LSB visualization
Operation: Detect hidden text
Method: Zero-width characters
Input: Text with hidden content
Output: Extracted hidden message
# Whitespace steganography
Operation: Whitespace
Action: Decode
Input: Text with hidden whitespace patterns
Operation: ROT13
Input: HELLO WORLD
Output: URYYB JBEYQ
# Variable rotation
Operation: Caesar cipher
Amount: 7
Direction: Encrypt
Input: ATTACK AT DAWN
Output: HAAHJR HA KHDV
Operation: Substitution cipher
Plaintext alphabet: ABCDEFGHIJKLMNOPQRSTUVWXYZ
Ciphertext alphabet: ZYXWVUTSRQPONMLKJIHGFEDCBA
Input: HELLO
Output: SVOOL
# Atbash cipher
Operation: Atbash cipher
Input: HELLO WORLD
Output: SVOOL DLIOW
Operation: Vigenère encode
Key: SECRET
Input: HELLO WORLD
Output: ZINCS AIDVN
# Vigenère decode
Operation: Vigenère decode
Key: SECRET
Input: ZINCS AIDVN
Output: HELLO WORLD
Operation: Frequency distribution
Show percentages: true
Input: Encrypted text
Output: Character frequency analysis
# Index of Coincidence
Operation: Index of Coincidence
Input: Ciphertext
Output: IC value (indicates monoalphabetic vs polyalphabetic)
Operation: Kasiski examination
Input: Vigenère ciphertext
Output: Probable key lengths
# Brute force Caesar
Operation: ROT13 brute force
Input: Encrypted text
Output: All possible rotations
# Create reusable recipes
1. Build operation chain
2. Click "Save recipe"
3. Name and describe recipe
4. Share recipe link
# Example: Malware deobfuscation recipe
Operations:
1. From Base64
2. Gunzip
3. From Hex
4. AES Decrypt (key: known_key)
# Share via URL
Recipe URL contains encoded operations
Example: https://gchq.github.io/CyberChef/#recipe=To_Base64('A-Za-z0-9%2B/%3D')
# Export/Import recipes
File format: JSON
Contains: Operations, parameters, input/output
# Process multiple files
1. Upload multiple files
2. Apply recipe to all
3. Download results as ZIP
# Batch text processing
Input: Multiple lines of data
Recipe: Applied to each line
Output: Processed results
// CyberChef API usage (Node.js)
const chef = require("cyberchef");
// Create recipe
const recipe = new chef.Recipe(
new chef.operations.ToBase64(),
new chef.operations.MD5()
);
// Process data
const result = chef.bake("Hello World", recipe);
console.log(result.toString());
Operation: Magic
Input: Unknown encoded data
Output: Automatically detected and decoded
# Intensive mode
Intensive: true
Extensive language support: true
Depth: 3 (number of operations to try)
Operation: Fork
Split on: \n (newline)
Merge: true
Input: Multiple lines of data
Recipe: Applied to each line separately
Output: Combined results
Operation: Scatter chart
X values: Column 1
Y values: Column 2
Input: CSV data
Output: Interactive scatter plot
# Hex dump visualization
Operation: To Hexdump
Width: 16
Upper case: true
Include ASCII: true
Operation: Generate network diagram
Input: Network connection logs
Output: Visual network topology
# Timeline visualization
Operation: Timeline
Date field: timestamp
Event field: event_type
Input: Log data with timestamps
# Use CyberChef for data preprocessing
# Example: Decode base64 logs before indexing
# Splunk search command
|eval decoded_data = base64decode(encoded_field)
|eval hash_value = md5(decoded_data)
# CyberChef recipe equivalent:
# 1. From Base64
# 2. MD5
\\\{
"processors": [
\\\{
"script": \\\{
"source": "ctx.decoded = Base64.getDecoder().decode(ctx.encoded_field)"
\\\}
\\\}
]
\\\}
# Extract indicators from reports
Recipe:
1. Regular expression (IP addresses)
2. Regular expression (Domain names)
3. Regular expression (File hashes)
4. Defang URLs
5. Format as CSV
Input: Threat intelligence report
Output: Structured IOC list
# Deobfuscate malware samples
Recipe:
1. From Base64
2. Gunzip
3. From Hex
4. XOR (key: 0x42)
5. Extract strings
6. Regular expression (URLs/IPs)
Input: Obfuscated malware
Output: Deobfuscated code with IOCs
# Multi-layer encoding
Recipe:
1. From Base64
2. URL Decode
3. From Hex
4. ROT13
5. Atbash cipher
# Steganography analysis
Recipe:
1. Extract LSB
2. From Binary
3. Gunzip
4. From Base64
# Cryptanalysis chain
Recipe:
1. Frequency distribution
2. Index of Coincidence
3. Kasiski examination
4. Vigenère decode (guessed key)
# Large file processing
- Use "Drop bytes" to reduce size
- Process in chunks using "Split"
- Disable auto-bake for large operations
# Memory issues
- Clear input/output regularly
- Use streaming operations when available
- Restart browser if memory usage high
# Character encoding problems
- Check input encoding (UTF-8, Latin1, etc.)
- Use "Detect encoding" operation
- Convert between encodings as needed
# Binary data handling
- Use hex input for binary data
- Check byte order (little/big endian)
- Verify file headers and signatures
# Debug failed recipes
- Check each operation individually
- Verify input format matches expected
- Use "To Hex" to inspect intermediate results
- Check operation parameters
# Error messages
- "Invalid input": Check data format
- "Key length": Verify encryption key size
- "Parse error": Check syntax for regex/JSON
# Start simple
1. Test each operation individually
2. Build recipe step by step
3. Verify intermediate outputs
4. Document recipe purpose
# Error handling
- Use "Drop bytes" to handle extra data
- Add "Try" operations for uncertain steps
- Include fallback operations
# Sensitive data handling
- Use local installation for sensitive data
- Clear browser cache after use
- Avoid cloud-hosted instances for secrets
- Use HTTPS for web access
# Data validation
- Verify output makes sense
- Cross-check with other tools
- Test with known good data
- Document assumptions and limitations
``
This comprehensive CyberChef cheatsheet covers data transformation, cryptanalysis, forensics, and automation techniques for effective security analysis and investigation.