Cyber Pack

Follow

Share

Twitter Linkedin Facebook

Saves

CyberChef Charcuterie #2 - IP Potstickers

Today we're highlighting some of the built-in recipes that will make your life a little easier when analyzing or working with IP addresses.

Jacob Gray

by Jacob Gray

CyberChef

5 min read

CyberChef Charcuterie #2 - IP Potstickers
Photo by Tonya Wright / Unsplash

Welcome to CyberChef Charcuterie, the blog series where we slice and dice our way through the exciting world of CyberChef! In each post, I'll feature a variety tasty CyberChef recipes that I have cooked up or curated from around the web.

Just like charcuterie, these CyberChef recipes are bite-sized and easy to sample, perfect for exploring new techniques and experimenting with new flavors. From data analysis to decoding, CyberChef has something to offer for everyone, and I'm excited to share some of my favorite recipes with you. Feel free to leave a comment if you have any suggestions or recipes to share. I would be excited to include them in a future post.

Grab your keyboard and dig in!

What’s on the Menu This Week?

Today we're highlighting some of the built-in recipes that will make your life a little easier when analyzing or working with IP addresses. Whether you're investigating network traffic for security purposes or simply looking to clean up spreadsheets of network infrastructure, the Parse IP Range, Group IP Addresses, and Extract/Unique/Sort recipes are essential tools in your CyberChef toolkit. So fire up your CyberChef workstations, and get ready to cook up some delicious new insights into your network traffic data!

How To Save or Load Recipes

If you need any help managing your cookbook and would like to know how you can save or load the recipes in this post, check out this article.

Saving and Loading Recipes in CyberChef
Say goodbye to the hassle of repeatedly building complex recipes from scratch, and hello to a more efficient workflow in CyberChef.
Cyber PackJacob Gray

Recipe #1 - Parse IP Range

When working with CIDR ranges like 192.168.1.87/24 or 10.100.6.43/16, it's easy to see which host addresses fall within those ranges. But what if you want to find out which addresses fall within a less common range like 172.19.43.20/22? Or, maybe you have a list of IPs and need to find the minimum subnet that can hold them all? Finding these answers manually is doable, but can be tedious, and many people turn to online calculators for help. However, did you know that CyberChef has a built-in recipe that can answer these questions for us?

Find all IPs in CIDR range

If we provide an IP address with a specified CIDR range, the Parse IP recipe will provide us information on the range of the network and list all the IPs. This feature makes it easy to know if a specific IP falls inside a subnet. It also provides an easy method to get a list of the individual IPs that comprise a subnet.

💡
To return just the list of IPs, uncheck the "Include network info" option. Alternatively, if you just want the subnet summary, uncheck "Enumerate IP addresses".

CyberChef Link

Example

Find the smallest CIDR for IPs

If we provide a list of IPs to the Parse IP recipe, it will output the minimum subnet required to hold the range. This can be useful if we are creating our own networks or if we are trying to reverse what the CIDR is for a list of IPs we believe to be in the same subnet.

CyberChef Link

Example

Recipe #2 - Group IP Addresses

If we have a list of IPs and we want to organize them based on their expected subnets, we can use the Group IP Addresses recipe. This can be a useful recipe when working with a large list of IPs and we want to quickly see what subnets are most likely being used on a network.

💡
Checking the "Only show the subnets" option will output just the list of subnets in CIDR notation. You could then add the Parse IP Range recipe to generate a list of each individual IP in those subnets!

CyberChef Link

Example

Recipe #3 - Uniquing and Sorting IPs

One of my favorite uses of CyberChef is to Unique and Sort IPs. There are different ways to accomplish this task, and the best way depends on how you are including the IPs or if you are chaining recipes. I'll go over the three methods I use.

Method 1: Extract IP Addresses

This is one of my favorites. Whether you are working with full-text messages or a list of IPs, you can use the Extract IP Addresses recipe to unique, sort, and more. Additionally, there are built-in options to sort and unique the results. Other handy options include the ability to display total count of IPs or remove private IPv4 addresses and just see what external IPs are in the input.

CyberChef Link Example #1
CyberChef Link Example #2

Examples
Example 1: Extract IPs from full-text
Example 2: Extract IPs from list

Method 2: Sort and Unique Recipes

If you are chaining recipes together and need more control over when IPs are uniqued or sorted, you can use the Unique and Sort recipes individually.

💡
One reason why you might use these individual recipes over the Extract IP recipe is to get a unique count of each IP and then reverse sort to see what IPs were the most common

CyberChef Link

Example

Conclusion

That's all for this edition of CyberChef Charcuterie! I hope you've enjoyed the samples and found some inspiration for your own recipes. If you have any suggestions for future recipes or feedback on the series, I'd love to hear from you. Please leave a comment below and let me know what you think.

If you want to stay updated on future CyberChef recipes and tips, you can subscribe to this blog. If subscribed, you will receive these posts directly to your inbox.

Whether you're a seasoned pro or just getting started with the tool, there's always something new to discover and explore with CyberChef. Bon appétit, and happy threat-hunting with CyberChef.

Thanks for reading!

Read this next