cyberchef 9.46.5 → 9.46.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +3 -2
- package/src/core/config/OperationConfig.json +14 -1
- package/src/core/operations/ParseSSHHostKey.mjs +3 -1
- package/src/core/operations/YARARules.mjs +24 -6
- package/tests/operations/tests/ParseSSHHostKey.mjs +12 -0
- package/tests/operations/tests/YARA.mjs +67 -0
- package/webpack.config.js +2 -1
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "cyberchef",
|
|
3
|
-
"version": "9.46.
|
|
3
|
+
"version": "9.46.7",
|
|
4
4
|
"description": "The Cyber Swiss Army Knife for encryption, encoding, compression and data analysis.",
|
|
5
5
|
"author": "n1474335 <n1474335@gmail.com>",
|
|
6
6
|
"homepage": "https://gchq.github.io/CyberChef",
|
|
@@ -128,7 +128,7 @@
|
|
|
128
128
|
"jsrsasign": "^10.5.23",
|
|
129
129
|
"kbpgp": "2.1.15",
|
|
130
130
|
"libbzip2-wasm": "0.0.4",
|
|
131
|
-
"libyara-wasm": "^1.1
|
|
131
|
+
"libyara-wasm": "^1.2.1",
|
|
132
132
|
"lodash": "^4.17.21",
|
|
133
133
|
"loglevel": "^1.8.0",
|
|
134
134
|
"loglevel-message-prefix": "^3.0.0",
|
|
@@ -167,6 +167,7 @@
|
|
|
167
167
|
"scripts": {
|
|
168
168
|
"start": "npx grunt dev",
|
|
169
169
|
"build": "npx grunt prod",
|
|
170
|
+
"node": "npx grunt node",
|
|
170
171
|
"repl": "node --experimental-modules --experimental-json-modules --experimental-specifier-resolution=node --no-warnings src/node/repl.mjs",
|
|
171
172
|
"test": "npx grunt configTests && node --experimental-modules --experimental-json-modules --no-warnings --no-deprecation tests/node/index.mjs && node --experimental-modules --experimental-json-modules --no-warnings --no-deprecation tests/operations/index.mjs",
|
|
172
173
|
"testnodeconsumer": "npx grunt testnodeconsumer",
|
|
@@ -9478,6 +9478,7 @@
|
|
|
9478
9478
|
"Europe/Kaliningrad",
|
|
9479
9479
|
"Europe/Kiev",
|
|
9480
9480
|
"Europe/Kirov",
|
|
9481
|
+
"Europe/Kyiv",
|
|
9481
9482
|
"Europe/Lisbon",
|
|
9482
9483
|
"Europe/Ljubljana",
|
|
9483
9484
|
"Europe/London",
|
|
@@ -9720,7 +9721,7 @@
|
|
|
9720
9721
|
},
|
|
9721
9722
|
"Parse SSH Host Key": {
|
|
9722
9723
|
"module": "Default",
|
|
9723
|
-
"description": "Parses a SSH host key and extracts fields from it.<br>The key type can be:<ul><li>ssh-rsa</li><li>ssh-dss</li><li>ecdsa-sha2</li></ul>The key format can be either Hex or Base64.",
|
|
9724
|
+
"description": "Parses a SSH host key and extracts fields from it.<br>The key type can be:<ul><li>ssh-rsa</li><li>ssh-dss</li><li>ecdsa-sha2</li><li>ssh-ed25519</li></ul>The key format can be either Hex or Base64.",
|
|
9724
9725
|
"infoURL": "https://wikipedia.org/wiki/Secure_Shell",
|
|
9725
9726
|
"inputType": "string",
|
|
9726
9727
|
"outputType": "string",
|
|
@@ -14861,6 +14862,7 @@
|
|
|
14861
14862
|
"Europe/Kaliningrad",
|
|
14862
14863
|
"Europe/Kiev",
|
|
14863
14864
|
"Europe/Kirov",
|
|
14865
|
+
"Europe/Kyiv",
|
|
14864
14866
|
"Europe/Lisbon",
|
|
14865
14867
|
"Europe/Ljubljana",
|
|
14866
14868
|
"Europe/London",
|
|
@@ -15467,6 +15469,7 @@
|
|
|
15467
15469
|
"Europe/Kaliningrad",
|
|
15468
15470
|
"Europe/Kiev",
|
|
15469
15471
|
"Europe/Kirov",
|
|
15472
|
+
"Europe/Kyiv",
|
|
15470
15473
|
"Europe/Lisbon",
|
|
15471
15474
|
"Europe/Ljubljana",
|
|
15472
15475
|
"Europe/London",
|
|
@@ -16835,6 +16838,16 @@
|
|
|
16835
16838
|
"name": "Show counts",
|
|
16836
16839
|
"type": "boolean",
|
|
16837
16840
|
"value": true
|
|
16841
|
+
},
|
|
16842
|
+
{
|
|
16843
|
+
"name": "Show rule warnings",
|
|
16844
|
+
"type": "boolean",
|
|
16845
|
+
"value": true
|
|
16846
|
+
},
|
|
16847
|
+
{
|
|
16848
|
+
"name": "Show console module messages",
|
|
16849
|
+
"type": "boolean",
|
|
16850
|
+
"value": true
|
|
16838
16851
|
}
|
|
16839
16852
|
]
|
|
16840
16853
|
},
|
|
@@ -23,7 +23,7 @@ class ParseSSHHostKey extends Operation {
|
|
|
23
23
|
|
|
24
24
|
this.name = "Parse SSH Host Key";
|
|
25
25
|
this.module = "Default";
|
|
26
|
-
this.description = "Parses a SSH host key and extracts fields from it.<br>The key type can be:<ul><li>ssh-rsa</li><li>ssh-dss</li><li>ecdsa-sha2</li></ul>The key format can be either Hex or Base64.";
|
|
26
|
+
this.description = "Parses a SSH host key and extracts fields from it.<br>The key type can be:<ul><li>ssh-rsa</li><li>ssh-dss</li><li>ecdsa-sha2</li><li>ssh-ed25519</li></ul>The key format can be either Hex or Base64.";
|
|
27
27
|
this.infoURL = "https://wikipedia.org/wiki/Secure_Shell";
|
|
28
28
|
this.inputType = "string";
|
|
29
29
|
this.outputType = "string";
|
|
@@ -71,6 +71,8 @@ class ParseSSHHostKey extends Operation {
|
|
|
71
71
|
} else if (keyType.startsWith("ecdsa-sha2")) {
|
|
72
72
|
output += `\nCurve: ${Utils.byteArrayToChars(fromHex(fields[1]))}`;
|
|
73
73
|
output += `\nPoint: 0x${fields.slice(2)}`;
|
|
74
|
+
} else if (keyType === "ssh-ed25519") {
|
|
75
|
+
output += `\nx: 0x${fields[1]}`;
|
|
74
76
|
} else {
|
|
75
77
|
output += "\nUnsupported key type.";
|
|
76
78
|
output += `\nParameters: ${fields.slice(1)}`;
|
|
@@ -52,7 +52,17 @@ class YARARules extends Operation {
|
|
|
52
52
|
name: "Show counts",
|
|
53
53
|
type: "boolean",
|
|
54
54
|
value: true
|
|
55
|
-
}
|
|
55
|
+
},
|
|
56
|
+
{
|
|
57
|
+
name: "Show rule warnings",
|
|
58
|
+
type: "boolean",
|
|
59
|
+
value: true
|
|
60
|
+
},
|
|
61
|
+
{
|
|
62
|
+
name: "Show console module messages",
|
|
63
|
+
type: "boolean",
|
|
64
|
+
value: true
|
|
65
|
+
},
|
|
56
66
|
];
|
|
57
67
|
}
|
|
58
68
|
|
|
@@ -64,7 +74,7 @@ class YARARules extends Operation {
|
|
|
64
74
|
async run(input, args) {
|
|
65
75
|
if (isWorkerEnvironment())
|
|
66
76
|
self.sendStatusMessage("Instantiating YARA...");
|
|
67
|
-
const [rules, showStrings, showLengths, showMeta, showCounts] = args;
|
|
77
|
+
const [rules, showStrings, showLengths, showMeta, showCounts, showRuleWarns, showConsole] = args;
|
|
68
78
|
return new Promise((resolve, reject) => {
|
|
69
79
|
Yara().then(yara => {
|
|
70
80
|
if (isWorkerEnvironment()) self.sendStatusMessage("Converting data for YARA.");
|
|
@@ -83,11 +93,19 @@ class YARARules extends Operation {
|
|
|
83
93
|
const compileError = resp.compileErrors.get(i);
|
|
84
94
|
if (!compileError.warning) {
|
|
85
95
|
reject(new OperationError(`Error on line ${compileError.lineNumber}: ${compileError.message}`));
|
|
86
|
-
} else {
|
|
87
|
-
matchString += `Warning on line ${compileError.lineNumber}: ${compileError.message}`;
|
|
96
|
+
} else if (showRuleWarns) {
|
|
97
|
+
matchString += `Warning on line ${compileError.lineNumber}: ${compileError.message}\n`;
|
|
88
98
|
}
|
|
89
99
|
}
|
|
90
100
|
}
|
|
101
|
+
|
|
102
|
+
if (showConsole) {
|
|
103
|
+
const consoleLogs = resp.consoleLogs;
|
|
104
|
+
for (let i = 0; i < consoleLogs.size(); i++) {
|
|
105
|
+
matchString += consoleLogs.get(i) + "\n";
|
|
106
|
+
}
|
|
107
|
+
}
|
|
108
|
+
|
|
91
109
|
const matchedRules = resp.matchedRules;
|
|
92
110
|
for (let i = 0; i < matchedRules.size(); i++) {
|
|
93
111
|
const rule = matchedRules.get(i);
|
|
@@ -100,11 +118,11 @@ class YARARules extends Operation {
|
|
|
100
118
|
}
|
|
101
119
|
meta = meta.slice(0, -2) + "]";
|
|
102
120
|
}
|
|
103
|
-
const countString = showCounts ?
|
|
121
|
+
const countString = matches.size() === 0 ? "" : (showCounts ? ` (${matches.size()} time${matches.size() > 1 ? "s" : ""})` : "");
|
|
104
122
|
if (matches.size() === 0 || !(showStrings || showLengths)) {
|
|
105
123
|
matchString += `Input matches rule "${rule.ruleName}"${meta}${countString.length > 0 ? ` ${countString}`: ""}.\n`;
|
|
106
124
|
} else {
|
|
107
|
-
matchString += `Rule "${rule.ruleName}"${meta} matches
|
|
125
|
+
matchString += `Rule "${rule.ruleName}"${meta} matches${countString}:\n`;
|
|
108
126
|
for (let j = 0; j < matches.size(); j++) {
|
|
109
127
|
const match = matches.get(j);
|
|
110
128
|
if (showStrings || showLengths) {
|
|
@@ -49,6 +49,18 @@ Point: 0x046c59592006272250a15070142a6be36d1e45464313f930d985a6e6f0eba3cd39d0367
|
|
|
49
49
|
}
|
|
50
50
|
]
|
|
51
51
|
},
|
|
52
|
+
{
|
|
53
|
+
name: "SSH Host Key: Ed25519",
|
|
54
|
+
input: "AAAAC3NzaC1lZDI1NTE5AAAAIBOF6r99IkvqGu1kwZrHHIqjpTB5w79bpv67B/Aw3+WJ",
|
|
55
|
+
expectedOutput: `Key type: ssh-ed25519
|
|
56
|
+
x: 0x1385eabf7d224bea1aed64c19ac71c8aa3a53079c3bf5ba6febb07f030dfe589`,
|
|
57
|
+
recipeConfig: [
|
|
58
|
+
{
|
|
59
|
+
op: "Parse SSH Host Key",
|
|
60
|
+
args: ["Base64"]
|
|
61
|
+
}
|
|
62
|
+
]
|
|
63
|
+
},
|
|
52
64
|
{
|
|
53
65
|
name: "SSH Host Key: Extract key",
|
|
54
66
|
input: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDiJZ/9W9Ix/Dk9b+K4E+RGCug1AtkGXaJ9vNIY0YHFHLpWsB8DAuh/cGEI9TLbL1gzR2wG+RJNQ2EAQVWe6ypkK63Jm4zw4re+vhEiszpnP889J0h5N9yzyTndesrl4d3cQtv861FcKDPxUJbRALdtl6gwOB7BCL8gsXJLLVLO4EesrbPXD454qpVt7CgJXEXByOFjcIm3XwkdOnXMPHHnMSD7EIN1SvQMD6PfIDrbDd6KQt5QXW/Rc/BsfX5cbUIV1QW5A/GbepXHHKmWRtLC2J/mH3hW2Zq/hITPEaJdG1CtIilQmJaZGXpfGIwFeb0Av9pSL926arZZ6vDi9ctF test@test",
|
|
@@ -8,6 +8,22 @@
|
|
|
8
8
|
*/
|
|
9
9
|
import TestRegister from "../../lib/TestRegister.mjs";
|
|
10
10
|
|
|
11
|
+
const CONSOLE_COMPILE_WARNING_RULE = `import "console"
|
|
12
|
+
rule a
|
|
13
|
+
{
|
|
14
|
+
strings:
|
|
15
|
+
$s=" "
|
|
16
|
+
condition:
|
|
17
|
+
$s and console.log("log rule a")
|
|
18
|
+
}
|
|
19
|
+
rule b
|
|
20
|
+
{
|
|
21
|
+
strings:
|
|
22
|
+
$s=" "
|
|
23
|
+
condition:
|
|
24
|
+
$s and console.hex("log rule b: int8(0)=", int8(0))
|
|
25
|
+
}`;
|
|
26
|
+
|
|
11
27
|
TestRegister.addTests([
|
|
12
28
|
{
|
|
13
29
|
name: "YARA Match: simple foobar",
|
|
@@ -20,5 +36,56 @@ TestRegister.addTests([
|
|
|
20
36
|
}
|
|
21
37
|
],
|
|
22
38
|
},
|
|
39
|
+
{
|
|
40
|
+
name: "YARA Match: hashing rules",
|
|
41
|
+
input: "Hello World!",
|
|
42
|
+
expectedOutput: "Input matches rule \"HelloWorldMD5\".\nInput matches rule \"HelloWorldSHA256\".\n",
|
|
43
|
+
recipeConfig: [
|
|
44
|
+
{
|
|
45
|
+
"op": "YARA Rules",
|
|
46
|
+
"args": [
|
|
47
|
+
`import "hash"
|
|
48
|
+
rule HelloWorldMD5 {
|
|
49
|
+
condition:
|
|
50
|
+
hash.md5(0,filesize) == "ed076287532e86365e841e92bfc50d8c"
|
|
51
|
+
}
|
|
52
|
+
|
|
53
|
+
rule HelloWorldSHA256 {
|
|
54
|
+
condition:
|
|
55
|
+
hash.sha256(0,filesize) == "7f83b1657ff1fc53b92dc18148a1d65dfc2d4b1fa3d677284addd200126d9069"
|
|
56
|
+
}`,
|
|
57
|
+
true, true, true, true, false, false
|
|
58
|
+
],
|
|
59
|
+
}
|
|
60
|
+
],
|
|
61
|
+
},
|
|
62
|
+
{
|
|
63
|
+
name: "YARA Match: compile warnings",
|
|
64
|
+
input: "CyberChef Yara",
|
|
65
|
+
expectedOutput: "Warning on line 5: string \"$s\" may slow down scanning\n" +
|
|
66
|
+
"Warning on line 12: string \"$s\" may slow down scanning\n" +
|
|
67
|
+
"Input matches rule \"a\".\n" +
|
|
68
|
+
"Input matches rule \"b\".\n",
|
|
69
|
+
recipeConfig: [
|
|
70
|
+
{
|
|
71
|
+
"op": "YARA Rules",
|
|
72
|
+
"args": [CONSOLE_COMPILE_WARNING_RULE, false, false, false, false, true, false],
|
|
73
|
+
}
|
|
74
|
+
],
|
|
75
|
+
},
|
|
76
|
+
{
|
|
77
|
+
name: "YARA Match: console messages",
|
|
78
|
+
input: "CyberChef Yara",
|
|
79
|
+
expectedOutput: "log rule a\n" +
|
|
80
|
+
"log rule b: int8(0)=0x43\n" +
|
|
81
|
+
"Input matches rule \"a\".\n" +
|
|
82
|
+
"Input matches rule \"b\".\n",
|
|
83
|
+
recipeConfig: [
|
|
84
|
+
{
|
|
85
|
+
"op": "YARA Rules",
|
|
86
|
+
"args": [CONSOLE_COMPILE_WARNING_RULE, false, false, false, false, false, true],
|
|
87
|
+
}
|
|
88
|
+
],
|
|
89
|
+
},
|
|
23
90
|
]);
|
|
24
91
|
|
package/webpack.config.js
CHANGED
|
@@ -109,7 +109,8 @@ module.exports = {
|
|
|
109
109
|
"buffer": require.resolve("buffer/"),
|
|
110
110
|
"crypto": require.resolve("crypto-browserify"),
|
|
111
111
|
"stream": require.resolve("stream-browserify"),
|
|
112
|
-
"zlib": require.resolve("browserify-zlib")
|
|
112
|
+
"zlib": require.resolve("browserify-zlib"),
|
|
113
|
+
"process": false
|
|
113
114
|
}
|
|
114
115
|
},
|
|
115
116
|
module: {
|