Mercury

Presented at DEF CON 30 (2022), Aug. 12, 2022, noon (115 minutes)

Mercury is an open source package for network metadata extraction and analysis. It reports session metadata including fingerprint strings for TLS, QUIC, HTTP, DNS, and many other protocols. Mercury can output JSON or PCAP. Designed for large scale use, it can process packets in real time at 40Gbps on server-class commodity hardware, using Linux native zero-copy high performance networking. The Mercury package includes tools for analyzing PKIX/X.509 certificates and finding weak keys, and for analyzing fingerprints with destination context using a naive Bayes classifier.

Audience: Network defense, incident response, forensics, security and privacy research

Presenters:

• Brandon Enright
  Brandon Enright is a lead DIFR investigator for Cisco CSIRT, an expert at DNS and network data analysis, and a contributor to Nmap and other open source projects.
• David McGrew
  David McGrew leads research and development into the detection of threats, vulnerabilities, and attacks using network data. He designed authenticated encryption algorithms and protocols, most notably GCM and Secure RTP, and he is a Fellow at Cisco Systems.

Similar Presentations:

• DEF CON 31 (2023) / Assessing the Security of Certificates at Scale