cyberchef 9.37.2 → 9.38.1

package/src/core/operations/ParseTCP.mjs

@@ -0,0 +1,245 @@
+/**
+ * @author n1474335 [n1474335@gmail.com]
+ * @copyright Crown Copyright 2022
+ * @license Apache-2.0
+ */
+
+import Operation from "../Operation.mjs";
+import Stream from "../lib/Stream.mjs";
+import {toHexFast, fromHex} from "../lib/Hex.mjs";
+import {toBinary} from "../lib/Binary.mjs";
+import {objToTable, bytesToLargeNumber} from "../lib/Protocol.mjs";
+import Utils from "../Utils.mjs";
+import OperationError from "../errors/OperationError.mjs";
+import BigNumber from "bignumber.js";
+
+/**
+ * Parse TCP operation
+ */
+class ParseTCP extends Operation {
+
+    /**
+     * ParseTCP constructor
+     */
+    constructor() {
+        super();
+
+        this.name = "Parse TCP";
+        this.module = "Default";
+        this.description = "Parses a TCP header and payload (if present).";
+        this.infoURL = "https://wikipedia.org/wiki/Transmission_Control_Protocol";
+        this.inputType = "string";
+        this.outputType = "json";
+        this.presentType = "html";
+        this.args = [
+            {
+                name: "Input format",
+                type: "option",
+                value: ["Hex", "Raw"]
+            }
+        ];
+    }
+
+    /**
+     * @param {string} input
+     * @param {Object[]} args
+     * @returns {html}
+     */
+    run(input, args) {
+        const format = args[0];
+
+        if (format === "Hex") {
+            input = fromHex(input);
+        } else if (format === "Raw") {
+            input = Utils.strToArrayBuffer(input);
+        } else {
+            throw new OperationError("Unrecognised input format.");
+        }
+
+        const s = new Stream(new Uint8Array(input));
+        if (s.length < 20) {
+            throw new OperationError("Need at least 20 bytes for a TCP Header");
+        }
+
+        // Parse Header
+        const TCPPacket = {
+            "Source port": s.readInt(2),
+            "Destination port": s.readInt(2),
+            "Sequence number": bytesToLargeNumber(s.getBytes(4)),
+            "Acknowledgement number": s.readInt(4),
+            "Data offset": s.readBits(4),
+            "Flags": {
+                "Reserved": toBinary(s.readBits(3), "", 3),
+                "NS": s.readBits(1),
+                "CWR": s.readBits(1),
+                "ECE": s.readBits(1),
+                "URG": s.readBits(1),
+                "ACK": s.readBits(1),
+                "PSH": s.readBits(1),
+                "RST": s.readBits(1),
+                "SYN": s.readBits(1),
+                "FIN": s.readBits(1),
+            },
+            "Window size": s.readInt(2),
+            "Checksum": "0x" + toHexFast(s.getBytes(2)),
+            "Urgent pointer": "0x" + toHexFast(s.getBytes(2))
+        };
+
+        // Parse options if present
+        let windowScaleShift = 0;
+        if (TCPPacket["Data offset"] > 5) {
+            let remainingLength = TCPPacket["Data offset"] * 4 - 20;
+
+            const options = {};
+            while (remainingLength > 0) {
+                const option = {
+                    "Kind": s.readInt(1)
+                };
+
+                let opt = { name: "Reserved", length: true };
+                if (Object.prototype.hasOwnProperty.call(TCP_OPTION_KIND_LOOKUP, option.Kind)) {
+                    opt = TCP_OPTION_KIND_LOOKUP[option.Kind];
+                }
+
+                // Add Length and Value fields
+                if (opt.length) {
+                    option.Length = s.readInt(1);
+
+                    if (option.Length > 2) {
+                        if (Object.prototype.hasOwnProperty.call(opt, "parser")) {
+                            option.Value = opt.parser(s.getBytes(option.Length - 2));
+                        } else {
+                            option.Value = option.Length <= 6 ?
+                                s.readInt(option.Length - 2):
+                                "0x" + toHexFast(s.getBytes(option.Length - 2));
+                        }
+
+                        // Store Window Scale shift for later
+                        if (option.Kind === 3 && option.Value) {
+                            windowScaleShift = option.Value["Shift count"];
+                        }
+                    }
+                }
+                options[opt.name] = option;
+
+                const length = option.Length || 1;
+                remainingLength -= length;
+            }
+            TCPPacket.Options = options;
+        }
+
+        if (s.hasMore()) {
+            TCPPacket.Data = "0x" + toHexFast(s.getBytes());
+        }
+
+        // Improve values
+        TCPPacket["Data offset"] = `${TCPPacket["Data offset"]} (${TCPPacket["Data offset"] * 4} bytes)`;
+        const trueWndSize = BigNumber(TCPPacket["Window size"]).multipliedBy(BigNumber(2).pow(BigNumber(windowScaleShift)));
+        TCPPacket["Window size"] = `${TCPPacket["Window size"]} (Scaled: ${trueWndSize})`;
+
+        return TCPPacket;
+    }
+
+    /**
+     * Displays the TCP Packet in a tabular style
+     * @param {Object} data
+     * @returns {html}
+     */
+    present(data) {
+        return objToTable(data);
+    }
+
+}
+
+// Taken from https://www.iana.org/assignments/tcp-parameters/tcp-parameters.xhtml
+// on 2022-05-30
+const TCP_OPTION_KIND_LOOKUP = {
+    0: { name: "End of Option List", length: false },
+    1: { name: "No-Operation", length: false },
+    2: { name: "Maximum Segment Size", length: true },
+    3: { name: "Window Scale", length: true, parser: windowScaleParser },
+    4: { name: "SACK Permitted", length: true },
+    5: { name: "SACK", length: true },
+    6: { name: "Echo (obsoleted by option 8)", length: true },
+    7: { name: "Echo Reply (obsoleted by option 8)", length: true },
+    8: { name: "Timestamps", length: true, parser: tcpTimestampParser },
+    9: { name: "Partial Order Connection Permitted (obsolete)", length: true },
+    10: { name: "Partial Order Service Profile (obsolete)", length: true },
+    11: { name: "CC (obsolete)", length: true },
+    12: { name: "CC.NEW (obsolete)", length: true },
+    13: { name: "CC.ECHO (obsolete)", length: true },
+    14: { name: "TCP Alternate Checksum Request (obsolete)", length: true, parser: tcpAlternateChecksumParser },
+    15: { name: "TCP Alternate Checksum Data (obsolete)", length: true },
+    16: { name: "Skeeter", length: true },
+    17: { name: "Bubba", length: true },
+    18: { name: "Trailer Checksum Option", length: true },
+    19: { name: "MD5 Signature Option (obsoleted by option 29)", length: true },
+    20: { name: "SCPS Capabilities", length: true },
+    21: { name: "Selective Negative Acknowledgements", length: true },
+    22: { name: "Record Boundaries", length: true },
+    23: { name: "Corruption experienced", length: true },
+    24: { name: "SNAP", length: true },
+    25: { name: "Unassigned (released 2000-12-18)", length: true },
+    26: { name: "TCP Compression Filter", length: true },
+    27: { name: "Quick-Start Response", length: true },
+    28: { name: "User Timeout Option (also, other known unauthorized use)", length: true },
+    29: { name: "TCP Authentication Option (TCP-AO)", length: true },
+    30: { name: "Multipath TCP (MPTCP)", length: true },
+    69: { name: "Encryption Negotiation (TCP-ENO)", length: true },
+    70: { name: "Reserved (known unauthorized use without proper IANA assignment)", length: true },
+    76: { name: "Reserved (known unauthorized use without proper IANA assignment)", length: true },
+    77: { name: "Reserved (known unauthorized use without proper IANA assignment)", length: true },
+    78: { name: "Reserved (known unauthorized use without proper IANA assignment)", length: true },
+    253: { name: "RFC3692-style Experiment 1 (also improperly used for shipping products) ", length: true },
+    254: { name: "RFC3692-style Experiment 2 (also improperly used for shipping products) ", length: true }
+};
+
+/**
+ * Parses the TCP Alternate Checksum Request field
+ * @param {Uint8Array} data
+ */
+function tcpAlternateChecksumParser(data) {
+    const lookup = {
+        0: "TCP Checksum",
+        1: "8-bit Fletchers's algorithm",
+        2: "16-bit Fletchers's algorithm",
+        3: "Redundant Checksum Avoidance"
+    }[data[0]];
+
+    return `${lookup} (0x${toHexFast(data)})`;
+}
+
+/**
+ * Parses the TCP Timestamp field
+ * @param {Uint8Array} data
+ */
+function tcpTimestampParser(data) {
+    const s = new Stream(data);
+
+    if (s.length !== 8)
+        return `Error: Timestamp field should be 8 bytes long (received 0x${toHexFast(data)})`;
+
+    const tsval = bytesToLargeNumber(s.getBytes(4)),
+        tsecr = bytesToLargeNumber(s.getBytes(4));
+
+    return {
+        "Current Timestamp": tsval,
+        "Echo Reply": tsecr
+    };
+}
+
+/**
+ * Parses the Window Scale field
+ * @param {Uint8Array} data
+ */
+function windowScaleParser(data) {
+    if (data.length !== 1)
+        return `Error: Window Scale should be one byte long (received 0x${toHexFast(data)})`;
+
+    return {
+        "Shift count": data[0],
+        "Multiplier": 1 << data[0]
+    };
+}
+
+export default ParseTCP;

package/src/core/operations/ParseUDP.mjs

@@ -6,7 +6,9 @@
 
 import Operation from "../Operation.mjs";
 import Stream from "../lib/Stream.mjs";
-import {toHex} from "../lib/Hex.mjs";
+import {toHexFast, fromHex} from "../lib/Hex.mjs";
+import {objToTable} from "../lib/Protocol.mjs";
+import Utils from "../Utils.mjs";
 import OperationError from "../errors/OperationError.mjs";
 
 /**
@@ -24,58 +26,61 @@ class ParseUDP extends Operation {
         this.module = "Default";
         this.description = "Parses a UDP header and payload (if present).";
         this.infoURL = "https://wikipedia.org/wiki/User_Datagram_Protocol";
-        this.inputType = "ArrayBuffer";
+        this.inputType = "string";
         this.outputType = "json";
         this.presentType = "html";
-        this.args = [];
+        this.args = [
+            {
+                name: "Input format",
+                type: "option",
+                value: ["Hex", "Raw"]
+            }
+        ];
     }
 
     /**
-     * @param {ArrayBuffer} input
+     * @param {string} input
+     * @param {Object[]} args
      * @returns {Object}
      */
     run(input, args) {
-        if (input.byteLength < 8) {
-            throw new OperationError("Need 8 bytes for a UDP Header");
+        const format = args[0];
+
+        if (format === "Hex") {
+            input = fromHex(input);
+        } else if (format === "Raw") {
+            input = Utils.strToArrayBuffer(input);
+        } else {
+            throw new OperationError("Unrecognised input format.");
         }
 
         const s = new Stream(new Uint8Array(input));
+        if (s.length < 8) {
+            throw new OperationError("Need 8 bytes for a UDP Header");
+        }
+
         // Parse Header
         const UDPPacket = {
             "Source port": s.readInt(2),
             "Destination port": s.readInt(2),
             "Length": s.readInt(2),
-            "Checksum": toHex(s.getBytes(2), "")
+            "Checksum": "0x" + toHexFast(s.getBytes(2))
         };
         // Parse data if present
         if (s.hasMore()) {
-            UDPPacket.Data = toHex(s.getBytes(UDPPacket.Length - 8), "");
+            UDPPacket.Data = "0x" + toHexFast(s.getBytes(UDPPacket.Length - 8));
         }
 
         return UDPPacket;
     }
 
     /**
-     * Displays the UDP Packet in a table style
+     * Displays the UDP Packet in a tabular style
      * @param {Object} data
      * @returns {html}
      */
     present(data) {
-        const html = [];
-        html.push("<table class='table table-hover table-sm table-bordered table-nonfluid' style='table-layout: fixed'>");
-        html.push("<tr>");
-        html.push("<th>Field</th>");
-        html.push("<th>Value</th>");
-        html.push("</tr>");
-
-        for (const key in data) {
-            html.push("<tr>");
-            html.push("<td style=\"word-wrap:break-word\">" + key + "</td>");
-            html.push("<td>" + data[key] + "</td>");
-            html.push("</tr>");
-        }
-        html.push("</table>");
-        return html.join("");
+        return objToTable(data);
     }
 
 }

package/src/core/operations/Sort.mjs

@@ -7,6 +7,7 @@
 import Operation from "../Operation.mjs";
 import Utils from "../Utils.mjs";
 import {INPUT_DELIM_OPTIONS} from "../lib/Delim.mjs";
+import {caseInsensitiveSort, ipSort, numericSort, hexadecimalSort} from "../lib/Sort.mjs";
 
 /**
  * Sort operation
@@ -57,120 +58,19 @@ class Sort extends Operation {
         if (order === "Alphabetical (case sensitive)") {
             sorted = sorted.sort();
         } else if (order === "Alphabetical (case insensitive)") {
-            sorted = sorted.sort(Sort._caseInsensitiveSort);
+            sorted = sorted.sort(caseInsensitiveSort);
         } else if (order === "IP address") {
-            sorted = sorted.sort(Sort._ipSort);
+            sorted = sorted.sort(ipSort);
         } else if (order === "Numeric") {
-            sorted = sorted.sort(Sort._numericSort);
+            sorted = sorted.sort(numericSort);
         } else if (order === "Numeric (hexadecimal)") {
-            sorted = sorted.sort(Sort._hexadecimalSort);
+            sorted = sorted.sort(hexadecimalSort);
         }
 
         if (sortReverse) sorted.reverse();
         return sorted.join(delim);
     }
 
-    /**
-     * Comparison operation for sorting of strings ignoring case.
-     *
-     * @private
-     * @param {string} a
-     * @param {string} b
-     * @returns {number}
-     */
-    static _caseInsensitiveSort(a, b) {
-        return a.toLowerCase().localeCompare(b.toLowerCase());
-    }
-
-
-    /**
-     * Comparison operation for sorting of IPv4 addresses.
-     *
-     * @private
-     * @param {string} a
-     * @param {string} b
-     * @returns {number}
-     */
-    static _ipSort(a, b) {
-        let a_ = a.split("."),
-            b_ = b.split(".");
-
-        a_ = a_[0] * 0x1000000 + a_[1] * 0x10000 + a_[2] * 0x100 + a_[3] * 1;
-        b_ = b_[0] * 0x1000000 + b_[1] * 0x10000 + b_[2] * 0x100 + b_[3] * 1;
-
-        if (isNaN(a_) && !isNaN(b_)) return 1;
-        if (!isNaN(a_) && isNaN(b_)) return -1;
-        if (isNaN(a_) && isNaN(b_)) return a.localeCompare(b);
-
-        return a_ - b_;
-    }
-
-    /**
-     * Comparison operation for sorting of numeric values.
-     *
-     * @author Chris van Marle
-     * @private
-     * @param {string} a
-     * @param {string} b
-     * @returns {number}
-     */
-    static _numericSort(a, b) {
-        const a_ = a.split(/([^\d]+)/),
-            b_ = b.split(/([^\d]+)/);
-
-        for (let i = 0; i < a_.length && i < b.length; ++i) {
-            if (isNaN(a_[i]) && !isNaN(b_[i])) return 1; // Numbers after non-numbers
-            if (!isNaN(a_[i]) && isNaN(b_[i])) return -1;
-            if (isNaN(a_[i]) && isNaN(b_[i])) {
-                const ret = a_[i].localeCompare(b_[i]); // Compare strings
-                if (ret !== 0) return ret;
-            }
-            if (!isNaN(a_[i]) && !isNaN(b_[i])) { // Compare numbers
-                if (a_[i] - b_[i] !== 0) return a_[i] - b_[i];
-            }
-        }
-
-        return a.localeCompare(b);
-    }
-
-    /**
-     * Comparison operation for sorting of hexadecimal values.
-     *
-     * @author Chris van Marle
-     * @private
-     * @param {string} a
-     * @param {string} b
-     * @returns {number}
-     */
-    static _hexadecimalSort(a, b) {
-        let a_ = a.split(/([^\da-f]+)/i),
-            b_ = b.split(/([^\da-f]+)/i);
-
-        a_ = a_.map(v => {
-            const t = parseInt(v, 16);
-            return isNaN(t) ? v : t;
-        });
-
-        b_ = b_.map(v => {
-            const t = parseInt(v, 16);
-            return isNaN(t) ? v : t;
-        });
-
-        for (let i = 0; i < a_.length && i < b.length; ++i) {
-            if (isNaN(a_[i]) && !isNaN(b_[i])) return 1; // Numbers after non-numbers
-            if (!isNaN(a_[i]) && isNaN(b_[i])) return -1;
-            if (isNaN(a_[i]) && isNaN(b_[i])) {
-                const ret = a_[i].localeCompare(b_[i]); // Compare strings
-                if (ret !== 0) return ret;
-            }
-            if (!isNaN(a_[i]) && !isNaN(b_[i])) { // Compare numbers
-                if (a_[i] - b_[i] !== 0) return a_[i] - b_[i];
-            }
-        }
-
-        return a.localeCompare(b);
-    }
-
 }
 
 export default Sort;

package/src/core/operations/Strings.mjs

@@ -7,6 +7,7 @@
 import Operation from "../Operation.mjs";
 import XRegExp from "xregexp";
 import { search } from "../lib/Extract.mjs";
+import { caseInsensitiveSort } from "../lib/Sort.mjs";
 
 /**
  * Strings operation
@@ -27,27 +28,37 @@ class Strings extends Operation {
         this.outputType = "string";
         this.args = [
             {
-                "name": "Encoding",
-                "type": "option",
-                "value": ["Single byte", "16-bit littleendian", "16-bit bigendian", "All"]
+                name: "Encoding",
+                type: "option",
+                value: ["Single byte", "16-bit littleendian", "16-bit bigendian", "All"]
             },
             {
-                "name": "Minimum length",
-                "type": "number",
-                "value": 4
+                name: "Minimum length",
+                type: "number",
+                value: 4
             },
             {
-                "name": "Match",
-                "type": "option",
-                "value": [
+                name: "Match",
+                type: "option",
+                value: [
                     "[ASCII]", "Alphanumeric + punctuation (A)", "All printable chars (A)", "Null-terminated strings (A)",
                     "[Unicode]", "Alphanumeric + punctuation (U)", "All printable chars (U)", "Null-terminated strings (U)"
                 ]
             },
             {
-                "name": "Display total",
-                "type": "boolean",
-                "value": false
+                name: "Display total",
+                type: "boolean",
+                value: false
+            },
+            {
+                name: "Sort",
+                type: "boolean",
+                value: false
+            },
+            {
+                name: "Unique",
+                type: "boolean",
+                value: false
             }
         ];
     }
@@ -58,7 +69,7 @@ class Strings extends Operation {
      * @returns {string}
      */
     run(input, args) {
-        const [encoding, minLen, matchType, displayTotal] = args,
+        const [encoding, minLen, matchType, displayTotal, sort, unique] = args,
             alphanumeric = "A-Z\\d",
             punctuation = "/\\-:.,_$%'\"()<>= !\\[\\]{}@",
             printable = "\x20-\x7e",
@@ -108,8 +119,19 @@ class Strings extends Operation {
         }
 
         const regex = new XRegExp(strings, "ig");
+        const results = search(
+            input,
+            regex,
+            null,
+            sort ? caseInsensitiveSort : null,
+            unique
+        );
 
-        return search(input, regex, null, displayTotal);
+        if (displayTotal) {
+            return `Total found: ${results.length}\n\n${results.join("\n")}`;
+        } else {
+            return results.join("\n");
+        }
     }
 
 }

package/src/core/operations/ToBase45.mjs

@@ -65,6 +65,10 @@ class ToBase45 extends Operation {
 
             if (chars < 2) {
                 res.push("0");
+                chars++;
+            }
+            if (pair.length > 1 && chars < 3) {
+                res.push("0");
             }
         }
 

package/src/core/operations/ToHex.mjs

@@ -67,7 +67,7 @@ class ToHex extends Operation {
      * @returns {Object[]} pos
      */
     highlight(pos, args) {
-        let delim, commaLen;
+        let delim, commaLen = 0;
         if (args[0] === "0x with comma") {
             delim = "0x";
             commaLen = 1;
@@ -86,7 +86,7 @@ class ToHex extends Operation {
         pos[0].start = pos[0].start * (2 + len) + countLF(pos[0].start);
         pos[0].end = pos[0].end * (2 + len) + countLF(pos[0].end);
 
-        // if the deliminators are not prepended, trim the trailing deliminator
+        // if the delimiters are not prepended, trim the trailing delimiter
         if (!(delim === "0x" || delim === "\\x")) {
             pos[0].end -= delim.length;
         }

package/src/core/operations/Unique.mjs

@@ -26,9 +26,14 @@ class Unique extends Operation {
         this.outputType = "string";
         this.args = [
             {
-                "name": "Delimiter",
-                "type": "option",
-                "value": INPUT_DELIM_OPTIONS
+                name: "Delimiter",
+                type: "option",
+                value: INPUT_DELIM_OPTIONS
+            },
+            {
+                name: "Display count",
+                type: "boolean",
+                value: false
             }
         ];
     }
@@ -39,8 +44,23 @@ class Unique extends Operation {
      * @returns {string}
      */
     run(input, args) {
-        const delim = Utils.charRep(args[0]);
-        return input.split(delim).unique().join(delim);
+        const delim = Utils.charRep(args[0]),
+            count = args[1];
+
+        if (count) {
+            const valMap = input.split(delim).reduce((acc, curr) => {
+                if (Object.prototype.hasOwnProperty.call(acc, curr)) {
+                    acc[curr]++;
+                } else {
+                    acc[curr] = 1;
+                }
+                return acc;
+            }, {});
+
+            return Object.keys(valMap).map(val => `${valMap[val]} ${val}`).join(delim);
+        } else {
+            return input.split(delim).unique().join(delim);
+        }
     }
 
 }

package/src/core/operations/index.mjs

@@ -229,6 +229,7 @@ import ParseIPv6Address from "./ParseIPv6Address.mjs";
 import ParseObjectIDTimestamp from "./ParseObjectIDTimestamp.mjs";
 import ParseQRCode from "./ParseQRCode.mjs";
 import ParseSSHHostKey from "./ParseSSHHostKey.mjs";
+import ParseTCP from "./ParseTCP.mjs";
 import ParseTLV from "./ParseTLV.mjs";
 import ParseUDP from "./ParseUDP.mjs";
 import ParseUNIXFilePermissions from "./ParseUNIXFilePermissions.mjs";
@@ -601,6 +602,7 @@ export {
     ParseObjectIDTimestamp,
     ParseQRCode,
     ParseSSHHostKey,
+    ParseTCP,
     ParseTLV,
     ParseUDP,
     ParseUNIXFilePermissions,

package/src/node/index.mjs

@@ -230,6 +230,7 @@ import {
     ParseObjectIDTimestamp as core_ParseObjectIDTimestamp,
     ParseQRCode as core_ParseQRCode,
     ParseSSHHostKey as core_ParseSSHHostKey,
+    ParseTCP as core_ParseTCP,
     ParseTLV as core_ParseTLV,
     ParseUDP as core_ParseUDP,
     ParseUNIXFilePermissions as core_ParseUNIXFilePermissions,
@@ -602,6 +603,7 @@ function generateChef() {
         "parseObjectIDTimestamp": _wrap(core_ParseObjectIDTimestamp),
         "parseQRCode": _wrap(core_ParseQRCode),
         "parseSSHHostKey": _wrap(core_ParseSSHHostKey),
+        "parseTCP": _wrap(core_ParseTCP),
         "parseTLV": _wrap(core_ParseTLV),
         "parseUDP": _wrap(core_ParseUDP),
         "parseUNIXFilePermissions": _wrap(core_ParseUNIXFilePermissions),
@@ -991,6 +993,7 @@ const parseIPv6Address = chef.parseIPv6Address;
 const parseObjectIDTimestamp = chef.parseObjectIDTimestamp;
 const parseQRCode = chef.parseQRCode;
 const parseSSHHostKey = chef.parseSSHHostKey;
+const parseTCP = chef.parseTCP;
 const parseTLV = chef.parseTLV;
 const parseUDP = chef.parseUDP;
 const parseUNIXFilePermissions = chef.parseUNIXFilePermissions;
@@ -1365,6 +1368,7 @@ const operations = [
     parseObjectIDTimestamp,
     parseQRCode,
     parseSSHHostKey,
+    parseTCP,
     parseTLV,
     parseUDP,
     parseUNIXFilePermissions,
@@ -1743,6 +1747,7 @@ export {
     parseObjectIDTimestamp,
     parseQRCode,
     parseSSHHostKey,
+    parseTCP,
     parseTLV,
     parseUDP,
     parseUNIXFilePermissions,