Ghost in the Wires: My Adventures as the World's Most Wanted Hacker

by Kevin D. Mitnick

The rear entrance door is one of those that unlock when an employee holds his or her access card up to the card reader. As the group single-files through the door, I fall in at the back of the line. The guy ahead of me reaches the door, notices there’s someone behind him, takes a quick glance to make sure I’m wearing a company badge, and holds the door open for me. I nod a thanks. This technique is called “tailgating.”

Inside, the first thing that catches my eye is a sign posted so you see it immediately as you walk in the door. It’s a security poster, warning not to hold the door for any other person but to require that each person gain entrance by holding up his card to the reader. But common courtesy, everyday politeness to a “fellow employee,” means that the warning on the security poster is routinely ignored.

I’ve done my homework in advance and have the name of one of the company’s network engineers; I figure he’s likely to have full administrator rights to the company’s network.

Damn! When I find his workspace, it’s not an easily accessible cubicle but a separate office… behind a locked door. But I see a solution. The ceiling is made up of those white soundproofing squares, the kind often used to create a dropped ceiling with a crawl space above for piping, electrical lines, air vents, and so on.

From my fanny pack, I pull out a CD with a bootable version of the Linux operating system that contains a hacker toolkit and pop it into his CD drive, then restart the computer.

One of the tools allows me to change the local administrator’s password on his computer; I change it to something I know, so I can log in. I then remove my CD and again restart the computer, this time logging in to the local administrator account.

Working as fast as I can, I install a “remote access Trojan,” a type of malicious software that gives me full access to the system, so I can log keystrokes, grab password hashes, and even instruct the we...

Almost finished, as a last step I go into the registry of his computer and set “last logged-in user” to the engineer’s username so there won’t be any evidence of my entry into the local administrator account.

In the morning, the engineer may notice that he’s logged out. No problem: as soon as he logs back in, everything will look just as it should. I’m ready to leave. By now my buddy has replaced the overhead tiles. On the way out, I reset the lock.

Because the Trojan is running under his account, I have full domain administrator privileges, and it takes me only a few seconds to identify the domain controller that contains all the account passwords for the entire company.

A hacker tool called “fgdump” allows me to dump the hashed (meaning scrambled) passwords for every user.

Within a few hours, I have run the list of hashes through “rainbow tables”—a huge database of precomputed password hashes—recovering the passw...

eventually find one of the back-end computer servers that process customer transactions but discover the credit card numbers are encrypted. Not a problem: I find the key used to encrypt the card numbers is conveniently hidden in a stored procedure within the database on a comp...

Millions and millions of credit card numbers. I can make purchases all day long using a different credit card each ti...

But I made no purchases. This true story is not a new replay of the hacking that landed me in a lot of hot water. Instead ...

It’s what we call a “pen test,” short for “penetration test,” and it’s a large part of what my ...

I’m largely self-taught and have spent years studying methods, tactics, and strategies used to circumvent computer security, and to learn more about how computer systems and telecommunication systems work.

My passion for technology and fascination with it have taken me down a bumpy road. My hacking escapades ended up costing me over five years of my life in prison and causing my loved ones tremendous heartache.

When I was at school, the teachers told my mom that I was in the top 1 percentile in mathematics and spelling, years ahead of my grade. But because I was hyperactive as a child, it was hard for me to sit still.

But there was something else, something more important: I saw how his audiences of one, three, or a roomful found delight in being deceived. Though this was never a conscious thought, the notion that people enjoyed being taken in was a stunning revelation that influenced the course of my life.

He told me he’d just found a Motorola handheld that was a police radio. I thought maybe he could listen in on the police frequencies, which would be very cool.

Soon the mailman brought an envelope from the Federal Communications Commission with my ham radio license, something not many kids in their early teens have ever had. I felt a huge sense of accomplishment.

Fooling people with magic was cool. But learning how the phone system worked was fascinating. I wanted to learn everything about how the phone company worked. I wanted to master its inner workings. I had been getting very good grades all the way through elementary school and in junior high, but around eighth or ninth grade I started cutting classes to hang out at Henry Radio, a ham radio store in West Los Angeles, reading books for hours on radio theory.

One day it occurred to me, If I could punch my own transfers, the bus rides wouldn’t cost anything.

had no trouble. The very next day I was in the store buying a punch. But that was only Step One. How was I going to get books of blank transfers?

I stuffed my pockets with partially used books of transfers—my first of what would be many, many acts of what came to be called “Dumpster-diving.”

Afterward my parents chided me for mimicking the accent and gestures of the rabbi. But it was subconscious. I’d later learn that this is a very effective technique because people are attracted to others who are like themselves.

So at a very early age, all unaware, I was already practicing what would come to be called “social engineering”—the casual or calculated manipulation of people to influence them to do things they would not ordinarily do. And convincing them without raising the least hint of suspicion.

spent many of my weekends there, all day long, studying one book after another—books like The Paper Trip by Barry Reid, on how to create a new identity by using a birth certificate of someone who had passed away. A book called The Big Brother Game, by Scott French, became my Bible because it was crammed with details on how to get hold of driving records, property records, credit reports, banking information, unlisted numbers, and even how to get information from police departments.

That bookstore was crammed with “underground” books that taught you things you weren’t supposed to know—very appealing to me since I had always had this urge to take a bite of knowledge from the forbidden apple. I was soaking up the knowledge that would turn out to be invaluable almost two decades later, when I was on the run.

The other item that interested me at the store besides their books was the lockpicking tools they offered for sale. I bought several different kinds. Remember the old joke that goes, “How do you get to Carnegie Hall? Practice, practice, practice”? That’s what I did to master the art of lockpicking, sometimes going down to the area of tenant storage lockers in the garage of our apartment building, where I’d pick open some of the padlocks, swap them around, and lock them again.

The DMV clerk, a lady with a bored expression, looked up in surprise. He didn’t wait for her to finish what she was doing with the man at the window but just started talking. He hadn’t said more than a few words when the clerk nodded to him, signaled the other man to step aside, and took care of whatever it was Uncle Mitchell wanted. My uncle had some special talent with people.

shop, I was following in Steve Jobs and Steve Wozniak’s footsteps and building a blue box that would allow me to manipulate the phone network and even make free phone calls. I always brought my handheld ham radio to school and talked on it during lunch and recess.

He demonstrated how he could have people call him without revealing his real phone number by using a phone company test circuit called a “loop-around”; he would call in on one of the loop’s phone numbers while the other person was calling the loop’s second phone number.

He could get the name and address assigned to any phone number, listed or not, by calling the phone company’s Customer Name and Address (CNA) Bureau.

Before long I had picked up just about everything he was willing to share with me about “phone phreaking” and was spending most of my free time exploring the telecommunications networks and learning on my own, figuring out things Steven didn’t even know about.

And “phreakers” had a social network. I started getting to know others who shared similar interests and going to their get-togethers, even though some of the “phreaks” were, well, freaky—socially inept and uncool.

The basic tactic is simple. Before you start social engineering for some particular goal, you do your reconnaissance. You piece together information about the company, including how that department or business unit operates, what its function is, what information the employees have access to, the standard procedure for making requests, whom they routinely get requests from, under what conditions they release the desired information, and the lingo and terminology used in the company.

The social-engineering techniques work simply because people are very trusting of anyone who establishes credibility, such as an authorized employee of the company. That’s where the research comes in.

She went to check, came back on the line, and said, “No, we didn’t.” I said, “You should be using 213 687-9962.” “No,” she said. “We dial 213 320-0055.” Bingo! “Okay,” I told her. “We’ll be sending a memo to a second-level”—the phone company lingo for a manager—“regarding the change. Meanwhile keep on using 320-0055 until you get the memo.”

But when I called the Non-Pub Bureau, it turned out my name had to be on a list of authorized people, with an internal callback number, before they would release any customer information to me. A novice or inept social engineer might have just hung up. Bad news: it raises suspicions.

Ad-libbing on the spot, I said, “My manager told me he was putting me on the list. I’ll have to tell him...

had to call three different business offices before I found one that had a second-level who was a man—someone I could impersonate. I told him, “This is Tom Hansen from the Non-Pub Bureau. We’re updating our list of authorized employees. Do you still need to be on the list?” Of course he said yes. I then asked him to spell his name and give me his phone number. Like taking candy from a baby.

got his computer password to the school district’s minicomputer every time he changed it. In desperation, thinking to outfox me, he punched out his password on a piece of computer paper tape, which was the type of storage used in those pre-floppy-drive days; he would then feed that through the tape reader whenever he wanted to sign on.

Soon after he proudly announced to the class how he was going to stop me from dialing into USC once and for all, and held up a lock made especially for dial telephones: when locked in place in the “1” hole, it prevented the dial from being used.

But meanwhile I was teaching myself about RSTS/E (spoken as “RIS-tisEE”), the operating system manufactured by Digital Equipment Corporation (DEC) used on the school’s minicomputer located in downtown Los Angeles.

I started teaching myself the Fortran and Basic programming languages. After only a few weeks of computer class, I wrote a program to steal people’s passwords: a student trying to sign on saw what looked like the familiar login banner but was actually my program masquerading as the operating system, designed to trick users into entering their account and password (similar to phishing attacks today). Actually,

Sometime later one of the lab monitors ratted me out to the system administrator. Next thing I knew, three campus police officers stormed the computer lab. They held me until my mom came to pick me up.

The department chairman, who had given me permission to use the lab and let me log in on his own account, was furious. But there wasn’t much he could do: in those days, there were no computer laws on the books so there was nothing to charge me with. Still, my privileges were canceled, and I was ordered to stay off the campus.

My mom was told, “Next month a new California law goes into effect making what ...