The following process appears to be used for authenticating the client:

1. Client sends getnonce command to server.
2. Server replies with a random 16 character nonce.
3. Client creates a key using the following formula:

Key = MD5(nonce + username + MD5(username + “:Mongo:” + password))

4. Client sends the key, nonce, and the username to the server
5. Server compares the key to check whether or not to authenticate the user.

The fact that the server uses a randomly generated nonce eliminates
the risk of a replay attack. However, a malicious user could listen to
the whole authentication conversation on the wire and attempt to brute force the password. The nonce and the username are known
so the malicious user would only need to guess the password and
compare keys.