July 20 2023

Kevin Mitnick and the Christmas attack. The narration of a virtuous hack dedicated to IP Spoofing

The Condor has flown away, we celebrate a great character by recounting a hack that will go down in history as "The Christmas attack" decreeing Kevin Mitnick as the most famous hacker in the world.


Kevin Mitnick, one of the most iconic and famous hacking figures in the history of the Internet, passed away today at the age of 59. The news was confirmed by various sources to the US press, and the cause of death is reported to have been pancreatic cancer, the same disease that a few years ago took from life (but not from legend) another excellent computer scientist like Steve Jobs.

Mitnick has long been the most wanted hacker on the planet, best known for a series of "computer crimes" (the quote is a must) perpetrated during the 90s. His ingenious mind was the protagonist of one of the most impressive digital thefts in history, which led to the exfiltration of thousands of documents, sensitive data and credit card numbers from computers in the United States.

The skilled hacker, who has been able to upset the systems of governments and corporations by stealing their secrets, he always defended his actions by declaring: “I have never taken a single dollar out of the citizens' pockets". However, his criminal activities cost him over 5 years in prison. In 1979, Mitnick committed his first breach of a computer network. He managed to remain anonymous for several years, only being sentenced to 12 months in prison in 1988.

But his rise as a hacker gained momentum soon after. He has targeted the computer systems of government, corporate and university entities, using his technical expertise to infiltrate the telephone networks of millions.

Kevin Mitnick Wanted FBI

In 1995, after a search that lasted more than two years, Mitnick was finally arrested. Captured by the FBI, he is charged with illegal use of a dial-up device and computer fraud. "It was alleged that he had access to corporate trade secrets worth millions of dollars. It was a considerable threat“, Kent Walker, a former assistant to the US attorney in San Francisco, said at the time, as reported by the New York Times. An event that the newspaper still vividly remembers, as three years later the website of the prestigious American newspaper was attacked by a group of Mitnick's supporters, forcing him to remain offline for several days.


As far as I'm personally concerned, it was precisely technical figures like Mitnick who fascinated me in the world of computer security and UNIX systems, generating an audience of enthusiasts and nerds who would have made the world a better place, developing that technology and security that today allows us to buy goods online with just a few clicks on our smartphone.

Beyond the distortions of the press with front-page headlines that tended to present Kevin Mitnick as a criminal of the worst kind, it is our duty and task to restore his reputation by showcasing an uncommon competence for the time, and an intelligence worthy of the best chess players on the planet, after all, what can we say, Kevin Mitnick "The Condor" was just playing a "war between the brains" like in Wargames.

War Games Movie

In this regard, we are going to present and analyze the famous "Christmas Attack", a milestone for all those who are passionately dedicated to the world of IT security which saw Kevin Mitnick, hack Tsutomu Shimomura's X-Terminal computer thanks to an early implementation of the TCP connection, which was not particularly secure at the time. Mitnick's action was driven by a strong desire for curiosity, and he accomplished something no one before him had ever done.

Mitnick was able to perform a "man-in-the-middle" attack under a false identity, exploiting the trust relationship between two computers. This type of attack consists of positioning itself between two communicating entities, intercepting and manipulating the information that travels between them. Mitnick's attack made him known (rightfully) as the most famous hacker in the United States of America.

Kevin Mitnick, a genius in computer security.

The cybersecurity sphere is a rich and varied palette filled with incidents of intrusion, system manipulation, and unparalleled defense strategies. Among these stories, the one that stands out for its audacity, skill and ingenuity is undoubtedly the incident known as "the Christmas attack". This event, which took place in 1994, was the scene of an unprecedented digital duel between two giants of the time: on the one hand Kevin Mitnick, on the other Tsutomu Shimomura.

Kevin Mitnick, whose name is synonymous with hacking worldwide, was self-taught, a social engineer, a systems manipulator, and a master at finding and exploiting flaws in computer systems. His skills have led him to be one of the most wanted hackers in US history, making him an icon in the world of hacking and computer security. Not just a hacker, Mitnick was a true artist in his own right, using his deep knowledge and incredible creativity to challenge and transcend digital barriers.


In 1994, Tsutomu Shimomura was a leading figure in the field of computer security. With a solid academic background and a deep interest in network security, he was known for his expertise and commitment to protecting computer systems.

Shimomura was a research scientist at the San Diego Supercomputer Center, a research institution affiliated with the University of California at San Diego. Here, he was involved in a number of advanced research projects, with a particular interest in the security of computer systems and networks. His work included analyzing emerging threats, designing new defense techniques, and continually improving existing security measures.

Shimomura's reputation as a security expert was well established. He had a solid understanding of the technical details of network protocols and potential vulnerabilities that could be exploited by attackers. Additionally, he was well known for his ability to think like an attacker, a talent that has proved invaluable in preventing and responding to cyberattacks.

Shimomura's position in San Diego put him at the center of the cybersecurity action. He was in a unique position to observe and respond to emerging threats, and his insights and technical expertise were often sought after by other industry professionals. Despite his prominent position, however, in 1994 Shimomura was faced with an unprecedented challenge: the attack of Kevin Mitnick, an event that would test his skills and determination like never before.

The Christmas attack was not just one example of how a deep understanding of computer systems can be used to evade the most advanced defenses. It was also a testament to the genius and determination of Kevin Mitnick, who used one of the most sophisticated techniques of the time – IP Spoofing – to carry out the daring attack on him.

This story remains a landmark in the history of cybersecurity, offering a fascinating look at one of the most powerful and sophisticated attack methods of its time: IP Spoofing. It reveals how genius, cunning and a solid technical knowledge can combine to create a powerful attacking strategy, capable of challenging even the most solid defenses.

The TCP/IP Protocol, the Three-Way Handshake and IP Spoofing: a deep analysis

To fully understand the ingenious attack orchestrated by Mitnick, it is essential to familiarize yourself with the key concepts behind network protocols, and in particular with the TCP/IP protocol. TCP/IP is the backbone of the Internet, a suite of communications protocols that provide a blueprint for computers to connect and send information between them.

A fundamental element of the TCP/IP protocol is the IP address, a unique identifier assigned to every device connected to the network. This IP address not only locates and identifies a device on the network, but is also used to route data from the sender to the recipient.

In this context, it is important to understand the concept of "Three-Way Handshake", a crucial element of the TCP protocol. TCP, or Transmission Control Protocol, is responsible for reliably sending data between devices on the network. To do this, it establishes a stable, two-way connection between sender and recipient before starting data transmission. This connection is established through a process known as a “Three-Way Handshake”.

The “Three-Way Handshake” consists of three basic steps:

Three Way Handshakes

  1. SYN: The initiating device sends a packet with a SYN flag to the receiving device, indicating its willingness to establish a connection.
  2. SYN-ACK: The recipient device replies with a packet containing both the SYN flag and the ACK flag, accepting the connection request and in turn proposing a connection.
  3. ACK: Finally, the original device replies with an ACK packet, accepting the connection proposed by the recipient device. At this point, the connection is established and data transmission can begin.

Once we understand the Three-Way Handshake mechanisms and the importance of the IP address, we can introduce the concept of IP Spoofing. IP Spoofing is a malicious technique which consists in modifying the source IP address in a packet sent over the network, so as to make the recipient believe that the packet comes from a different device.

During an IP Spoofing attack, the attacker modifies the IP packet header, masking his real IP address with a different one. This technique can be used to circumvent security measures that rely on the IP address or to fool the recipient into believing that the packet comes from a reliable source. This makes IP Spoofing a powerful and dangerous tool in the hands of an experienced hacker.

Sequence Number as an additional form of security in TCP/IP.

A vital component of TCP/IP communication is the use of sequence numbers, or 'Sequence Numbers'. These numbers are essential for ensuring the reliability of the TCP protocol, ensuring the correct ordering of data packets sent across the network and contributing to the security of the connection.

The Sequence Number is a 32-bit value included in the header of each TCP packet, which uniquely identifies each byte of data sent. When a TCP connection is established, both the client and the server generate an Initial Sequence Number (ISN) for the new connection. This ISN, together with the IP address and the port number of the sender and recipient, allows each communication session to be uniquely identified.


Each time a data packet is sent, the Sequence Number is incremented by the number of data bytes in the packet. This allows the recipient to reassemble packets into order, even if they arrive out of order or if some packets are lost and need to be retransmitted. Also, the Sequence Number is used in the ACK to tell the sender the next byte of data the receiver expects to receive, thus allowing the sender to understand which packets were received successfully and which were not.

Sequence Numbers also play a vital role in preventing IP Spoofing attacks. During the Three-Way Handshake, the sender and receiver exchange their ISNs. Since these numbers are known only to the sender and receiver, an attacker trying to impersonate the sender should be able to predict the ISN to convince the receiver that the spoofed packets are indeed from the legitimate sender.

However, in 1994, the Sequence Numbers generated by operating systems weren't as random as they are today. Many systems used predictable algorithms to generate the Sequence Numbers, which made it possible for an attacker skilled enough to predict the Sequence Numbers and exploit this weakness to carry out IP Spoofing attacks, this technique is called Prediction Attack, or the prediction of the sequence number.

Today, most operating systems generate Sequence Numbers randomly, making it much more difficult for an attacker to predict these numbers. However, the importance of Sequence Numbers as a security tool in the TCP/IP protocol remains high, underscoring the importance of a multi-layered, proactive security approach in protecting network communications.

The Christmas attack: a calculated and strategically planned attack

Deep into Christmas night in 1994, as families around the world gathered around the Christmas tree, Kevin Mitnick was preparing a daring and well-coordinated cyber attack. The timing of this attack was by no means random, but a carefully planned strategic choice to maximize the chances of success.

The first factor that made Christmas day ideal for this type of attack was the almost total absence of users connected to the systems. This festive day meant that most people were away from their computers, busy celebrating Christmas. Therefore, it was unlikely that anyone would notice any unusual activity on the systems or interfere with Mitnick's attack.


The second factor was the reduction in network traffic. Being a public holiday, the volume of data traveling across the networks was significantly less than on working days. This decrease in traffic made Mitnick's job easier. With less network "noise," it would have been easier for him to perform IP Spoofing, as he had less data to contend with.

Also, with less network traffic, Mitnick had a better chance of correctly predicting TCP sequence numbers. When establishing a TCP connection, a three-way "handshake" is performed in which the devices involved exchange unique sequence numbers. Normally, these numbers are randomly generated to make an attack more difficult. However, in 1994, sequence numbers weren't completely randomly generated, and Mitnick, with the right skills and less network traffic, was able to predict the sequence numbers generated by Shimomura's system.

The Christmas attack, therefore, was a perfect combination of ingenuity, technical prowess and strategic timing. Mitnick used the peculiarities of the holiday season to his advantage, making his attack one of the most notorious in the history of computer security.

Mitnick's Christmas Attack: A detailed analysis.

Kevin Mitnick's cyber assault unfolded in five crucial phases, each of which played a vital role in the actual success of the attack.

Mitnick attacks

These stages include:

Phase 1: Information gathering

Before he could launch the attack, Mitnick had to gather a number of crucial information. In particular, he needed to understand how the X-Terminal's TCP sequence number generator worked, and whether there was a trust relationship between the X-Terminal and the Server.

Understand the behavior of the TCP sequence number generator Mitnick sent a SYN request to X-Terminal and received a SYN/ACK response. Later, he sent a RESET response to prevent the X-Terminal from filling up with requests. This cycle was repeated twenty times, allowing Mitnick to identify a pattern in successive TCP sequence numbers. It turned out that these numbers weren't random at all – each successive number was 128.000 higher than the previous one.

Identify a trust relationship between the X-Terminal and the Server

As part of the information gathering phase, a particularly significant element is represented by the identification of a relationship of trust between the X-Terminal and the Server. This is a crucial detail as a trusted relationship between two computer systems can, in fact, be exploited to facilitate unauthorized access to one of the two systems.

Before launching the attack, Mitnick managed to hack Shimomura's website. This preliminary operation had the aim of collecting key information on the target, useful for planning and perfecting the attack. Specifically, Mitnick's goal was to identify if there was a trust relationship between the X-Terminal and other computers on the network.

To do this, it used two specific commands: the 'finger' command and the 'showmount' command. The 'finger' command is an older UNIX tool that provides information about users on a system, including last login, uptime, and home directory details. This command allowed Mitnick to figure out which users had access to X-Terminal, potentially revealing trusted connections to other systems.

On the other hand, the 'showmount' command is a command used in UNIX and Linux environments to display NFS (Network File System) shares exposed by a server. This command allowed Mitnick to see if the X-Terminal had file shares with other systems, further indication of a possible trust relationship.

Through the combined use of these commands, Mitnick was able to build a detailed picture of potential trust relationships between the X-Terminal and other systems, setting the stage for the next attack.

Phase 2: The incessant flood

The second phase of Mitnick's attack featured a sophisticated and insidious strategy: a flood of SYN requests, commonly known as a SYN flood attack.

Mitnick has, at this stage, rendered the target server practically down, saturating it with an incessant stream of semi-open SYN requests. These requests came from a forged IP address, a tactic known as IP spoofing, which further complicated the defense efforts.

To carry out this type of attack, Mitnick used an IP address that was routable, meaning it could be reached across the network, but which was not active. This technical subtlety was critical to executing the attack: A routable but dead IP address would have allowed Mitnick to send SYN requests without ever completing the three-way handshake that would normally establish a TCP connection.

These "half-open" SYN requests began filling up the server's connection table rapidly, consuming available resources and making the server unable to handle new connections. Each half-open SYN request occupied a place in the server's queue of pending connections, a limited resource.

While the server attempted to complete the handshake with the inactive IP address, unsuccessfully sending SYN/ACK responses, new SYN requests kept coming in, keeping the server in a paralyzed state. This represents a classic example of a Denial of Service (DoS) attack, where the goal is to overload a system with network traffic or requests in such a way that it is inaccessible to legitimate users.

Then, using a clever mix of IP spoofing and SYN flooding, Mitnick was able to take down Shimomura's server, setting the stage for the next phase of the attack.

Stage 3: Hijacking the Trusted Relationship

The third phase of Mitnick's assault was a bold and technologically sophisticated maneuver aimed at manipulating the trust the X-Terminal placed in its network connections.

In the context of the TCP protocol, trust is a key mechanism: when a device receives a SYN request from another device, it assumes that the request is legitimate and responds accordingly. Mitnick exploited this premise to hijack the connection between the X-Terminal and the Server.

First, Mitnick sent a SYN request to X-Terminal. The request was disguised to appear as if it came from the Server: the IP address of the packet had been altered, or "spoofed", to match that of the Server. At the same time, Mitnick inserted an arbitrary number as the TCP sequence number of the Server in the SYN packet.

The X-Terminal, not suspecting anything strange, responded as expected by sending a SYN/ACK packet to the Server. However, due to the overload of SYN requests induced in phase 2, the Server was too busy to process or respond to this packet.

This is where Mitnick's ability to predict TCP sequence numbers comes into play, a trick he learned during the information-gathering phase. Mitnick was able to calculate the TCP sequence number that the X-Terminal would assign to the Server in its SYN/ACK response.

Thus, Mitnick sent one more packet to the X-Terminal: a final ACK to complete the three-way handshake. As with the initial SYN request, he spoofed the IP address of the packet to appear to come from the Server and used the expected TCP sequence number to convince the X-Terminal that the response came from a legitimate connection.

The X-Terminal, having received an ACK with the "correct" TCP sequence number, completed the handshake and established a connection. Only this connection was not with the Server, but with Mitnick. In doing so, he breached the security of Shimomura's system, setting the stage for the next stages of the attack.

Step 4: Entering Remote Commands

The fourth phase of Mitnick's attack focused on implementing a backdoor, a secret way to gain access to Shimomura's system in the future without needing to repeat the entire hijacking process.

To accomplish this, Mitnick used a remote command feature, which allowed him to send commands directly to Shimomura's computer, from his device. The specific command he sent was “echo + + >> /.rhosts”. This command made critical changes to the .rhosts file, which is a core component for some network services in the Unix operating system and its variants.

The .rhosts (remote hosts) file is an authentication mechanism used by services such as Rlogin, Rsh and Rcp, which allow users to access and work on a remote computer without having to enter a password each time. The .rhosts file contains a list of hostnames and usernames; if a remote user with a given name is trying to log in from a specific host, and this username and hostname pair is in the .rhosts file, then the user is considered authenticated and is allowed access.

With the “echo + + >> /.rhosts” command, Mitnick added two “+” in the .rhosts file. In this context, the “+” acts as a wildcard: the first “+” represents any host, and the second “+” represents any user. Thus, by adding "++" to the .rhosts file, Mitnick effectively gave any user from any host permission to access Shimomura's system without having to provide a password.

In essence, Mitnick created a universal rift in Shimomura's system. This backdoor would allow him easy access at any time, providing an unlimited amount of opportunity for future attacks or data theft.

Step 5: Cleaning

In the last phase of the attack, Mitnick concentrated his efforts on "cleaning", a crucial operation to reduce the traceability of his intervention and to restore the functionality of the Server that he had previously taken out of action.

Mitnick sent RESET type packets to the Server. These packets, in the context of the TCP protocol, are used to terminate an existing connection. In practice, when a RESET packet is received by one of the two parties of a TCP connection, it immediately interrupts the connection itself.

By sending these RESET responses, Mitnick then canceled all of his pending SYN requests, which had flooded the Server in Phase 2, causing it to be unable to handle any more connections. Once all these SYN requests have been canceled, the Server has been "freed up", i.e. returned to its normal operating capacity, able to respond to new requests and establish new connections.

This pass marked the end of Mitnick's offense. With the removal of his SYN requests, he left little trace of the attack on him, making it difficult for any investigators to accurately piece together what had happened. At the same time, he reduced the likelihood of being discovered, since restoring the Server to normal might have delayed the discovery of the intrusion.

Kevin Mitnick's influence on mass media and society.

Kevin Mitnick has had a significant impact on the media and society, not only for his hacking activities, but also for the way he reinvented himself. After serving a prison sentence, Mitnick turned his hacking experience into an opportunity to become a successful cybersecurity consultant, using his unique knowledge of hacking to help companies protect themselves.

Mitnick has been referenced and depicted in various media and works of art. His character was the focus of the 2000 film “Takedown” also known as “Track Down,” based on the book “Takedown” by Tsutomu Shimomura, the man who helped capture him. In the film, Mitnick's character is presented as a computer genius obsessed with researching and pushing boundaries.

Takedown movie Kevin Mitnick

The world of literature has also been affected by the Mitnick effect. His own book, Ghost in the Wires: My Adventures as the World's Most Wanted Hacker, offers a detailed account of his experiences, and his story has inspired other authors. “The Fugitive Game: Online with Kevin Mitnick” by Jonathan Littman is another book that tells Mitnick's story, providing another perspective on his adventures.

Mitnick's story has also influenced how society perceives hackers and cybersecurity. Before Mitnick, the concept of hacking was often relegated to the realm of fantasy. However, his actions have helped bring hacking and cybersecurity to the light, helping to raise public and business awareness of the importance of cybersecurity.

Mitnick has become something of a cult figure in the world of hacking and cybersecurity. His story serves both as a reminder of the potential consequences of cybercrime and as an example of how a former hacker can use his skills to become a positive force in the cybersecurity industry.


The complexity of Kevin Mitnick's attack orchestrated in the age of emerging technologies and limited cybersecurity awareness is testament to his vision and technical prowess. Mitnick's attack was not only sophisticated for the time, but raised fundamental questions that led the international computer community to reflect deeply on system security.

Mitnick pointed out how easy it was to predict what a random number should be, exposing a fundamental weakness in the TCP/IP protocol. By exploiting the inability of sequence numbers to be truly random, Mitnick illustrated how the security of systems could easily be compromised.

Additionally, its attack exposed vulnerabilities inherent in clear-text services such as Remote Shell (RSH) and Telnet, which were in widespread use at the time. The ease with which Mitnick was able to exploit these protocols shed light on how authentication and unencrypted data transmission could expose users to serious security risks.

Finally, Mitnick's attack highlighted the problem of IP spoofing at the IP level, a problem which, although mitigated, has never been fully resolved and is still a challenge in network security today.

While Kevin Mitnick was initially labeled a cybercriminal, his contribution to understanding system vulnerabilities and the need for stronger security is undeniable. In recent decades, he has emerged as a pioneering figure and visionary in the field of cybersecurity. He has pushed the limits of existing technologies, exposing their flaws and spurring progress in system security. More than a criminal, Mitnick can be seen as a passionate hacker who helped raise the bar in computer security and to whom we should all be eternally grateful.

Do you have doubts? Don't know where to start? Contact us!

We have all the answers to your questions to help you make the right choice.

Chat with us

Chat directly with our presales support.


Contact us by phone during office hours 9:30 - 19:30

Contact us online

Open a request directly in the contact area.


Managed Server Srl is a leading Italian player in providing advanced GNU/Linux system solutions oriented towards high performance. With a low-cost and predictable subscription model, we ensure that our customers have access to advanced technologies in hosting, dedicated servers and cloud services. In addition to this, we offer systems consultancy on Linux systems and specialized maintenance in DBMS, IT Security, Cloud and much more. We stand out for our expertise in hosting leading Open Source CMS such as WordPress, WooCommerce, Drupal, Prestashop, Joomla, OpenCart and Magento, supported by a high-level support and consultancy service suitable for Public Administration, SMEs and any size.

Red Hat, Inc. owns the rights to Red Hat®, RHEL®, RedHat Linux®, and CentOS®; AlmaLinux™ is a trademark of AlmaLinux OS Foundation; Rocky Linux® is a registered trademark of the Rocky Linux Foundation; SUSE® is a registered trademark of SUSE LLC; Canonical Ltd. owns the rights to Ubuntu®; Software in the Public Interest, Inc. holds the rights to Debian®; Linus Torvalds owns the rights to Linux®; FreeBSD® is a registered trademark of The FreeBSD Foundation; NetBSD® is a registered trademark of The NetBSD Foundation; OpenBSD® is a registered trademark of Theo de Raadt. Oracle Corporation owns the rights to Oracle®, MySQL®, and MyRocks®; Percona® is a registered trademark of Percona LLC; MariaDB® is a registered trademark of MariaDB Corporation Ab; REDIS® is a registered trademark of Redis Labs Ltd. F5 Networks, Inc. owns the rights to NGINX® and NGINX Plus®; Varnish® is a registered trademark of Varnish Software AB. Adobe Inc. holds the rights to Magento®; PrestaShop® is a registered trademark of PrestaShop SA; OpenCart® is a registered trademark of OpenCart Limited. Automattic Inc. owns the rights to WordPress®, WooCommerce®, and JetPack®; Open Source Matters, Inc. owns the rights to Joomla®; Dries Buytaert holds the rights to Drupal®. Amazon Web Services, Inc. holds the rights to AWS®; Google LLC holds the rights to Google Cloud™ and Chrome™; Facebook, Inc. owns the rights to Facebook®; Microsoft Corporation holds the rights to Microsoft®, Azure®, and Internet Explorer®; Mozilla Foundation owns the rights to Firefox®. Apache® is a registered trademark of The Apache Software Foundation; PHP® is a registered trademark of the PHP Group. CloudFlare® is a registered trademark of Cloudflare, Inc.; NETSCOUT® is a registered trademark of NETSCOUT Systems Inc.; ElasticSearch®, LogStash®, and Kibana® are registered trademarks of Elastic NV This site is not affiliated, sponsored, or otherwise associated with any of the entities mentioned above and does not represent any of these entities in any way. All rights to the brands and product names mentioned are the property of their respective copyright holders. Any other trademarks mentioned belong to their registrants. MANAGED SERVER® is a registered trademark at European level by MANAGED SERVER SRL Via Enzo Ferrari, 9 62012 Civitanova Marche (MC) Italy.

Back to top