Home > Software > She Wore A Mirrored Mask
She Wore A Mirrored Mask
This article describes security testing-related software whose use may be restricted or prohibited in your place of residence or your workplace. The penalties for violating laws and regulations regarding security testing-related tools can be severe. Ensuring that you are allowed to use this software is your responsibility.
The software described is a "preview release" which is not yet feature-complete and which is has not been tested on a variety of systems. Even if you are allowed to use the software, you should do so with caution, on systems which can be easily restored to their previous state if they are damaged.
Table of contents
- Introduction — what is She Wore A Mirrored Mask?
- Known Limitations
- Future Releases and Planned Features
- If You Would Like To Contribute
- Artwork and Historical Screenshots
Introduction — what is She Wore A Mirrored Mask?
She Wore A Mirrored Mask is a Python-based lightweight webserver specifically designed for penetration-testing use.
The current release is only a tiny subset of its full potential — it is limited for the most part to working in conjunction with On The Outside, Reaching In, which uses She Wore A Mirrored Mask to store malicious XML documents and fragments, as well as the staging of exfiltrated content.
The fact that even this limited preview includes functionality related to masquerading as a variety of other webservers should provide some insight into what She Wore A Mirrored Mask is intended to become someday: a service which can be deployed on a target network where it will appear to be a benign, ordinary component, but offer the following hidden capabilities (and more) to its true owner:
- Data exfiltration
- Hidden port-forwarding
- Hidden HTTP proxying
In addition, it should be able to serve reverse-engineers well in the lab, offering canned/stub responses to client requests directed to it via DNS, IP, ARP spoofing, or other means.
In the interest of making a potentially-useful tool available sooner rather than later, the current release of She Wore A Mirrored Mask is a preview which has significant missing functionality compared to the intended "feature-complete" alpha release of the future:
- Stored and retrieved data is base64-encoded, but not encrypted, so it may be detected by IDS/IPS devices.
- While it can fool Nikto and nmap (as of this writing) into thinking it is a variety of servers, specialized tests could quickly unmask it.
- It has been tested only using Python 2.7.3 (the current default on both test platforms).
- While it pretends to support HTTP 1.1, it does not allow connection re-use.
- Sometimes the server does not shut down cleanly when Ctrl-C is pressed, and if it is restarted before the TCP port has been freed by the OS, it will be unable to bind to that same port.
- This software has not been tested with IPv6.
Future Releases and Planned Features
Some of the things I'd like to include in future releases (not in any particular order):
- Correct HTTP 1.1 operation (pipelining, etc.).
- Respond with HTTP 1.0 if that's what the client requested.
- Figure out how various mimicked servers respond to HTTP/0.9 (and other unexpected version numbers) requests and emulate that.
- Respond correctly to requests for partial content.
- Convincingly fake etags.
- Accurately respond to requests using If-None-Match, If-Modified-Since, etc.
- Hellban clients that make too many requests for non-She Wore A Mirrored Mask content.
- More server profiles.
- Customizable responses for the root directory:
- 404/400 (what it does today).
- Generic "unauthorized" response (to simulate IP-level filtering).
- Prompt for basic auth which will never succeed, but which will be captured for re-use elsewhere.
- Prompt for NTLM auth which will never succeed, but which will be captured using e.g. Squirtle or Responder for re-use elsewhere.
- Reverse-proxy to legitimate (non-compromised) systems on the network to intercept information and credentials (including via the use of glued-on basic or NTLM auth).
- Based on request URL, source IP, etc:
- Drop the connection.
- Always respond with 404/403/401/etc.
- Perform a network-level port-forwarding operation (e.g. act as a hidden TCP relay).
- Perform an application-layer port-forwarding operation (e.g. act as a hidden forward or reverse HTTP proxy).
- Transparent chained SSL-forwarding through multiple She Wore A Mirrored Mask servers.
- "URL-knocking" model where certain functionality is unlocked by a "magic sequence" of requests which each look innocuous.
- For maximum paranoia, require that each component of the "URL-knocking" sequence come from a specific source. E.g. three compromised machines must send "magic requests" to the She Wore A Mirrored Mask server before the server will allow a fourth compromised machine to use it as an HTTP proxy.
- Add support for sending and retrieving stored content in the form of AES-encrypted, base64-encoded packages to make IDS/IPS detection much harder.
- Write all requests and responses to raw data files in the filesystem.
- Write all requests and responses to prebuilt stored request/response files.
- Import request/response pairs from intercepting proxy logs (Burp Suite, OWASP ZAP, etc.).
- Provide command-line tools for reading and writing data so that She Wore A Mirrored Mask can be used completely independently of On The Outside, Reaching In.
- Provide scripts/instructions for easily collecting mimicked response pages from non-free software like IIS (they have to be manually obtained today).
If You Would Like To Contribute
Please get in touch with me using the Contact form.
Artwork and Historical Screenshots
Artwork and Historical Screenshots
Screenshot of the highest-resolution banner
Higher-resolution version of the icon/banner sketch
She Wore A Mirrored Mask is distributed along with On The Outside, Reaching In, so if you are planning on using them together, you just need to download that package. However, if you would like to take advantage of the ability to run She Wore A Mirrored Mask on a separate system, a standalone package can be downloaded below.