Memcached < 1.4.17 SASL authentication bypass


We have approved that configurations of memcached prior to 1.4.17 suffers authentication bypassing on SASL configurations.


When SASL enabled in memcached prior to 1.4.17 with

./configure --enable-sasl

and memcached daemon started with -S parameter memcached configures itself to authenticate over saslauthd.

Due to coding failure in memcached.c on second try with wrong password memcached fails authentication but still runs as authenticated which you can see detailed logs down below.

read more

Capsule127 - A password cracker for clouds

Capsule127 is a password cracker using data-grid technologies.

Currently available for all platforms with JRE 6 but not tested on Windows platforms. It is using Hazelcast as open-source datagrid for high-performance data flow over network and concurrency necessities.

For now, it just supports following hash types;

  • (MY4) MySql pre 4.1
  • (MY5) Mysql post 4.1
  • (MS2005) Microsoft Sql Server 2005-2008
  • (MS2012) Microsoft Sql Server >= 2012
  • (O11) Oracle < 11g (DES)
  • (O) Oracle >= 11g (SHA1)
  • (LM) LanMan Hash
  • (NT) NT Hash

Planning to implement;

  • WPA-WPA2 Pre Shared Keys
  • SHA1, SHA256, SHA512
  • ZIP file
  • PDF
  • SHA3 (Keccak)
  • Camellia
  • MD4, MD5
  • HMAC-MD5
  • Cisco PIX
  • RipeMD160
  • Whirlpool
  • Various TrueCrypt 5+ hashes
  • Blowfish (openbsd)

Check it out at GitHub Page

read more