CipherBase

01

ENCODING

// WHAT IS ENCODING?

Encoding is the process of transforming data from one format to another. It is NOT encryption — it is immediately reversible and provides no security. It is simply a way to represent data.

// URL ENCODING

Also called percent-encoding. Replaces special characters with a % followed by two hex digits. Ensures special characters don't break URI structure.

Original: http://example.com/my file.txt
Encoded:  http://example.com/my%20file.txt

// BASE64

A binary-to-text encoding using 64 printable characters. Represents every 6-bit segment. Increases data size by ~33%. Used to transmit binary data over text channels.

Input:  Many hands make light work.
Output: TWFueSBoYW5kcyBtYWtlIGxpZ2h0IHdvcmsu

// HTML ENCODING

Converts special HTML characters into entity codes to prevent the browser from interpreting them as markup. Critical for preventing XSS (Cross-Site Scripting) attacks.

&  →  &amp;     <  →  &lt;     >  →  &gt;
"  →  &quot;    '  →  &#x27;

// HEX & BINARY

Hexadecimal (base-16) is a compact way to represent binary data. Each hex digit maps to 4 bits. Commonly used for representing byte values, colors, MAC addresses, and raw data.

A = 0x41 = 01000001
Z = 0x5A = 01011010
0 = 0x30 = 00110000

URL ENCODING — COMMON CHARS

Char	Encoded
space	%20
"	%22
%	%25
<	%3C
>	%3E
\	%5C
{	%7B
}	%7D
\|	%7C
~	%7E

HTML ENTITY ENCODING

Char	Entity
&	&
<	<
>	>
"	"
'	'

BASE64 ALPHABET (PARTIAL)

Val	Char	Val	Char
0	A	26	a
25	Z	51	z
52	0	61	9
62	+	63	/
Base64URL: + → - and / → _

02

ENCRYPTION & CRYPTOGRAPHY

// CRYPTOGRAPHY

The practice and study of techniques for secure communication. Protects confidentiality (data is private), integrity (data is unaltered), and authenticity (data is genuine). Used everywhere: HTTPS, SSH, banking, file verification.

// SYMMETRIC ENCRYPTION

Uses the same key to encrypt and decrypt. Faster, smaller keys. Examples: AES (128/256-bit keys), DES (56-bit, broken).

// ASYMMETRIC ENCRYPTION

Uses a key pair — public key encrypts, private key decrypts (and vice versa). Slower, larger keys. Examples: RSA, ECC.

// KEY EXCHANGE & TLS

Asymmetric encryption is used to securely exchange a symmetric key. Once both parties have the symmetric key, they switch to faster symmetric encryption. This is the foundation of TLS/HTTPS. Diffie-Hellman and RSA key exchange are common methods.

// CAESAR CIPHER

One of history's simplest ciphers — shift each letter by a fixed number. Only 25 possible keys, making it trivially breakable. Example: HELLO shift 3 → KHOOR

// MODULO MATH

The % operator returns the remainder of division. Used heavily in cryptography. 25 % 5 = 0 | 23 % 6 = 5. Modulo is not reversible — if x % 5 = 4, x could be infinite values.

Ciphertext

The result of encrypting plaintext — unreadable without the key.

Plaintext

The original, readable data before encryption.

Cipher

A method/algorithm for encrypting or decrypting data.

Key

Information needed to correctly decrypt ciphertext into plaintext.

Passphrase

Like a password — used to protect a cryptographic key.

Digital Signature

Verifies sender identity and message integrity.

Brute Force

Attacking by trying every possible password or key.

Cryptanalysis

Attacking by finding weaknesses in the mathematics.

Alice & Bob

Standard names for two parties in crypto communication.

IV / Nonce

Initialization Vector — random value ensuring same input encrypts differently each time.

Block Cipher Mode

ECB, CBC, CTR, GCM — how block ciphers process data.

Padding

Adding data to fill block size. PKCS#7 is common. Padding oracle attacks exploit bad padding.

SYMMETRIC vs ASYMMETRIC

Property	Symmetric	Asymmetric
Keys	1 shared key	Key pair (public + private)
Speed	Fast	Slow
Key Size	128–256 bits	2048–4096 bits
Examples	AES, DES, Blowfish	RSA, ECC, DSA
Use Case	Bulk data encryption	Key exchange, signatures
Key Distribution	Hard (must share secretly)	Easy (public key is shareable)

COMMON BLOCK CIPHER MODES

Mode	Description	Security
ECB	Each block encrypted independently	⚠ Insecure
CBC	XORs each block with previous ciphertext	OK with HMAC
CTR	Turns block cipher into stream cipher	Good
GCM	CTR + authentication tag	Best practice

03

HASHING

// WHAT IS A HASH FUNCTION?

Takes input data of any size and produces a fixed-size digest. No key — it is a one-way function. Any small change in input causes a massive change in output (avalanche effect). Output is usually encoded as hex or Base64.

// HASH COLLISIONS

When two different inputs produce the same hash. Unavoidable due to the pigeonhole effect. MD5 and SHA1 are broken due to engineered collisions — don't use for passwords.

// PASSWORD HASHING

Never encrypt passwords — store their hash instead. Add a salt (random unique string per user) to prevent rainbow table attacks. Use bcrypt or sha512crypt.

// RAINBOW TABLES

Pre-computed lookup tables of hash → plaintext. Fast to look up, trades disk space for speed. Defeated by salting — the salt makes every hash unique.

// CRACKING TOOLS

Hashcat — GPU-based, extremely fast. Never use --force. John the Ripper — CPU-based. Common wordlist: rockyou.txt

UNIX HASH PREFIXES

Prefix	Algorithm
$1$	md5crypt (Cisco, old Linux)
$2$/$2a$/$2b$/$2y$	Bcrypt
$5$	sha256crypt
$6$	sha512crypt (default Linux)

HASH SIZES

Algorithm	Output	Status
MD5	16 bytes (128 bit)	Broken
SHA1	20 bytes (160 bit)	Broken
SHA256	32 bytes (256 bit)	Safe
SHA512	64 bytes (512 bit)	Safe
bcrypt	60 chars	Recommended
NTLM	16 bytes (MD4)	Weak

STORAGE LOCATIONS

OS	Location
Linux	/etc/shadow (root only)
Windows	SAM (NTLM/LM hashes)
macOS	/var/db/dslocal/nodes/Default

HASH IDENTIFICATION TIPS

MD5: 32 hex chars (e10adc3949ba59abbe56e057f20f883e)

SHA1: 40 hex chars

SHA256: 64 hex chars

SHA512: 128 hex chars

bcrypt: starts with $2y$ or $2a$

MySQL: 16 hex chars or 41 chars with *

04

INTERACTIVE TOOLS

URL Encode / Decode

Output:

—

Base64 Encode / Decode

Output:

—

HTML Entity Encode / Decode

Output:

—

Caesar Cipher

Shift:

Output:

—

ROT13 Cipher

A special case of Caesar cipher with shift 13. Applying it twice returns the original text. Not secure — only obscures text.

Output:

—

Hash Generator (Browser-based)

Uses the Web Crypto API. All computation runs locally in your browser.

Output:

—

Hex / Binary / Decimal Converter

Output:

—

XOR Cipher

XOR is its own inverse: XOR encrypt and XOR decrypt are the same operation. Fundamental building block of many ciphers.

Key:

Output:

—

05

PRACTICE QUESTIONS

SCORE TRACKER 0 / 0 correct

// Q1 — ENCODING

What encoding schema is also called percent encoding?

// Q2 — ENCODING

Decode this Base64 string: TXkgRmlyc3QgQmFzZTY0IERlY29kZQo=

💡 Hint: Use the Base64 tool above

// Q3 — ENCODING

What is the HTML encoded value for &?

// Q1 — ENCRYPTION

What do you call the encrypted plaintext?

// Q2 — ENCRYPTION

Decrypt XRPCTCRGNEI — it was encrypted with Caesar Cipher. What's the plaintext?

💡 Hint: Use the Caesar brute force tool above!

// Q3 — ENCRYPTION

What type of encryption uses the same key for both encryption and decryption?

// Q1 — HASHING

What is the output size in bytes of the MD5 hash function?

// Q2 — HASHING

Can you avoid hash collisions? (Yea/Nay)

// Q3 — HASHING

Should you encrypt passwords? (Yea/Nay)

// Q4 — HASHING

What hash format is this? e22084c2ca255918f9f9c755e06e9dbe7cdf13f0635bdcafaa6dbc8ba963c25b

06

RESOURCES & TOOLS

// PRACTICE PLATFORMS

TryHackMeFREE TIER

Beginner-friendly cybersecurity training platform with guided rooms and learning paths.

HackTheBoxFREE TIER

Challenging machines and challenges for all skill levels. Great for practical hacking experience.

CryptoHackFREE

Dedicated cryptography challenges. Learn by solving puzzles in modular arithmetic, AES, RSA, and more.

picoCTFFREE

CMU's beginner-friendly CTF competition. Great intro to cybersecurity challenges and CTF format.

OverTheWireFREE

Wargames to learn security concepts. Start with Bandit for Linux fundamentals and privilege escalation.

Root-MeFREE TIER

French-based platform with 400+ challenges across steganography, crypto, web, forensics, and more.

// CRYPTO & ENCODING TOOLS

CyberChef

The "Swiss Army Knife" of data transformation. Encode, decode, encrypt, hash, analyze — all in one.

CrackStation

Free online hash cracking using precomputed rainbow tables. Supports MD5, SHA1, SHA256, and more.

Hashes.com

Online hash decryption service. Supports many hash types with a large database of pre-cracked hashes.

dCode Cipher Identifier

Auto-identify cipher types. Paste ciphertext and it suggests likely encryption/encoding methods used.

Hashcat

World's fastest password recovery tool. GPU-accelerated. Supports 300+ hash types.

John the Ripper

Popular CPU-based password cracker. Works great in VMs. Detects hash types automatically.

// TRYHACKME ROOMS

→

Data EncodingTHM

→

Encryption Crypto 101THM

Crack the Hash Level 2THM

→

Cryptography ConceptsTHM

→

Breaking Crypto the Simple WayTHM

→

Cryptography for DummiesTHM

// LEARNING RESOURCES

PacketLabs — Encoding vs Encryption vs Hashing

Clear comparison article explaining the differences.

Auth0 — Encoding vs Encryption vs Hashing

In-depth blog post with practical examples.

PortSwigger — Obfuscating with Encodings

How attackers use encoding to bypass security filters.

GeeksforGeeks — All Three Compared

Visual comparison with code examples.

MDN — Base64

Mozilla's official documentation on Base64 encoding.

BeyondTrust — Password Cracking 101

Attacks and defenses explained in detail.

// WORDLISTS & UTILITIES

SecLists

Comprehensive collection of wordlists, passwords, fuzzing payloads, and more. Essential for any pentester.

rockyou.txt

14M+ passwords from the RockYou breach. The most commonly used password cracking wordlist.

Wireshark

Network protocol analyzer. Inspect TLS handshakes, certificates, and encrypted traffic patterns.

Burp Suite

Web security testing toolkit. Intercept and manipulate encoded/encrypted data in transit.

OWASP Top 10

Understand where crypto failures fit in common web vulnerabilities (A02: Cryptographic Failures).

CVE Details

Search for known cryptographic vulnerabilities in software products and libraries.

// ADVANCED CHALLENGES

→

WAF Exploitation TechniquesADV

Cauldron ChallengeADV

// ENCODING

// ENCRYPTION

// HASHING

ENCODING

// WHAT IS ENCODING?

// URL ENCODING

// BASE64

// HTML ENCODING

// HEX & BINARY

URL ENCODING — COMMON CHARS

HTML ENTITY ENCODING

BASE64 ALPHABET (PARTIAL)

ENCRYPTION & CRYPTOGRAPHY

// CRYPTOGRAPHY

// SYMMETRIC ENCRYPTION

// ASYMMETRIC ENCRYPTION

// KEY EXCHANGE & TLS

// CAESAR CIPHER

// MODULO MATH

SYMMETRIC vs ASYMMETRIC

COMMON BLOCK CIPHER MODES

HASHING

// WHAT IS A HASH FUNCTION?

// HASH COLLISIONS

// PASSWORD HASHING

// RAINBOW TABLES

// CRACKING TOOLS

UNIX HASH PREFIXES

HASH SIZES

STORAGE LOCATIONS

HASH IDENTIFICATION TIPS

INTERACTIVE TOOLS

URL Encode / Decode

Base64 Encode / Decode

HTML Entity Encode / Decode

Caesar Cipher

ROT13 Cipher

Hash Generator (Browser-based)

Hex / Binary / Decimal Converter

XOR Cipher

PRACTICE QUESTIONS

RESOURCES & TOOLS

// PRACTICE PLATFORMS

// CRYPTO & ENCODING TOOLS

// TRYHACKME ROOMS

// LEARNING RESOURCES

// WORDLISTS & UTILITIES

// ADVANCED CHALLENGES