Mar 10, 2022 by Georgi Nikolov | 1594 views
Don't remember all the command line tools or which parameters go where? At some point getting lost in all these terminal screens running different algorithms one after the other? Let CyberChef prepare and cook all this for you!
The main focus of our team is research into new ways we can detect and defend from emergent cyber threats, but without educating people about the dangers, it becomes hard to protect our data and private information. Our education efforts vary between giving general IT classes to the students at the Royal Military Academy and more specialized classes to private groups. In the past, we have given Awareness Training courses to the European Space Agency (ESA) and since the beginning of the year, we are busy organizing crash courses for students interested in participating in the Cyber Security Challenge. During these courses we go over some of the cyber security theory and show them practical tools, one of which is the magnificently named "CyberChef".
During research or incident response, it is not always possible to do everything we want, usually because of time constraints. It is quite fortunate that there are tools out there, which can help us speed some some operations and present us the findings in a timely fashion. CyberChef is one such tool, as described by the creators themselves:
CyberChef is a simple, intuitive web app for carrying out all manner of "cyber" operations within a web browser. These operations include simple encoding like XOR or Base64, more complex encryption like AES, DES and Blowfish, creating binary and hexdumps, compression and decompression of data, calculating hashes and checksums, IPv6 and X.509 parsing, changing character encodings, and much more. The tool is designed to enable both technical and non-technical analysts to manipulate data in complex ways without having to deal with complex tools or algorithms. It was conceived, designed, built and incrementally improved by an analyst in their 10% innovation time over several years.
The live demo of the tool can be accessed via their CyberChef web-portal, but it is also possible to download the CyberChef code from Gitlab or download the Docker container to run the project locally.
The tool in itself is quite intuitive. There are multiple panels, which serve clearly defined purpose, as shown below.
At any point we can save the sequence of commands, or recipe, and the output generated by them. This is handy if we want to share them with other people or save them for later use. It is also possible to delete the contents of the panels and reset to default so we can analyze something else.
During our Cyber Security Challenge courses, we often use examples of challenges presented during previous years. One such challenge, that we used, is the Alien Object Challenge. The students are presented with a
JPG file and they need to investigate it and find a specific string of characters, representing a "flag".
The steps in analyzing the image file are as follows:
Of course we can do all these steps using a variety of tools through the command line, but to speed up the process, we can use CyberChef and facilitate the analysis quite a bit.
First we drag and drop our
cosmos.jpg image in the Input panel. Then we need to use the correct operation to check the metadata, in this case we will search for the "Extract EXIF" command.
We can see already in the Output panel the metadata, which is presented to us in a clear and readable way. Something that seems off, is the field "Model", it contains a long string of characters, which is not normal.
To extract the data, we can use a regular expression, or regex for short. We can search for the "Regular expression" operations in the Operations panel and drag & drop it in our Recipe panel. There we are presented with some options to fill in:
Now in the Output panel we only see the long string of characters.
For those with some IT knowledge, we can see that the string of characters ends with a
= symbol. This usually means that this is a string encoded in base64. To decode it, we can search for the "From Base64" operations and drag it into our Recipe panel. Directly the string from the previous step is transformed into something new.
Sadly the output hasn't become any more readable, but it does give us extra information about what we are looking at. The starting two characters
PK signify that this is a zip file, following the list of signatures found on the Wikipedia source list. The interesting thing is that if we hover over the magic wand on the top right of the Output panel, it will show us that we can unzip this data and what the contents would be.
So now we can search for the "Unzip" operation and drag it into our Recipe. Directly we can see that the data in the Output panel has changed to a link named
f. When clicking on it, we are presented with the contents of the zip and our flag!
As a researcher or cyber analyst it is often important to know how to use different tools and commands through the command line, but it is not always feasible to spend long amounts of time to test every possible solution, or even remember the right sequence of parameters! This is why it is great to be able to refer to tools, such as CyberChef, to do the heavy lifting for us. In the same vein, students can familiarize themselves with certain techniques and concepts they might encounter often, when dealing with cyber defense and data analysis.