If you are curious about who are script kiddies, you are in the right place. Script kiddies are a type of hackers who are infamous in the hacking community, and you will see why in this article. Not only we will explain who they are, but we will also see why they got their names and even how easy it is to become one.
Who are Script Kiddies?
Script Kiddies in Brief
We can think of script kiddies like the hackers of low level and skill. Typically, they are very young (even starting at 10 years old!), so that’s why they are called “kiddies”. However, the age is not the main reason behind the name.
Script kiddies are people who just execute hacks created by someone else.
Their three main characteristics are these:
- Script kiddies don’t have a great knowledge of IT or technology
- They limit themselves to copy code and hacks from other people
- They are unable to create a new hack or exploit from scratch
This is it. They are not real hackers because they don’t create the hacks themselves, they just repeat something that has been created by others. They are like copycats of hackers, but with little understanding of what they are doing. This is the real reason why they are called “kiddies”: because they are no professionals.
This definition is quite simple, but you may be left wondering “what is a hack?” or “how can they replicate hacks made by real hackers?”. Those are the right questions you should be asking, and we will address them in the coming section.
What is a Hack, anyway?
Of course, script kiddies never call themselves like that, as they are convinced to be real hackers. Simply put, a hacker is someone who can do a hack.
To explain this in plain English, a hacker can look at a target system, such as a computer, smartphone, or server, and identify some vulnerabilities. Based on those vulnerabilities – most likely a combination of vulnerabilities – he can create a targeted attack to gain access to the system. Pulling this off is not easy at all. The hacker will need to understand about operating systems, networks, programming languages, and system architectures.
The hacker is someone who can solve a complicated puzzle in creative ways to get what he wants. This can give us insight on why script kiddies are not really hackers. They don’t have a deep understanding of operating systems, networks, or even programming languages. Hence, they cannot solve new puzzles. Instead, they can only “solve” puzzles that have been already solved by others by applying the same solution.
What does a Script Kiddie do?
By now, we know that script kiddies need to use hacks created by other people. So, the first thing script kiddies will do is to search for hacks that are easy to replicate online. They can do that by looking at known vulnerabilities.
On the Internet, but in technology at large, many people have the same system. For example, there are many people using a Mac, there are many people using Microsoft Word, and so on. Most specifically, there are many people using that specific version of the Mac, or that specific version of Microsoft Word.
If there is a flaw in that specific version, a bug or something that is not working has expected, all the people will that version will have that. And, if that bug or malfunction can be useful to a hacker, we call it vulnerability. It is a common vulnerability because it does not depend on the circumstances: if you have that version of software, you have that vulnerability – no other circumstance is needed.
Normal hackers search for a target based on what they want to do. Maybe they want to discover information about an individual, damage a company, or perform some hacktivism (hacking for political reasons). They select a target and then figure out a way to breach it. Script kiddies work in the opposite way: they find a vulnerability, and then look for targets who have that vulnerability. Any target will do.
Since script kiddies don’t know how to circumvent complex security systems, but instead can execute only known attacks and at most glue multiple of them together, they cannot have the luxury to attack the target they want. They attack the target that is vulnerable enough, the one that is within their reach.
How People Become Script Kiddies?
Exploiting CVE
You may be surprised, but as soon as a known vulnerability is discovered it is published on the Internet. Often, it is published by the vendor, the company that produces the vulnerable software. Why? Because the company wants to detach itself from the problem, so it says “this is the vulnerability, this is the impact, and these are the versions affected. Please upgrade to those other versions to avoid the problem”. This communication is a CVE (Common Vulnerabilities and Exposures) – read more about CVEs here.
The thing is, not everyone is upgrading, and not everyone is upgrading fast enough. Between a CVE is released and the time it is patched (the new version is installed), a company may need some time to patch all its systems. Even more, not all CVEs are patched.
To find the list of CVEs, you can simply search the MITRE website. It does not even need registration. You can download the list of CVEs published in CSV format, so that you can browse it in Excel and find the CVE that best works for you.
Once you have the CVE list, you can search for target platform (such as Apache Web server, to make an example) and find the list of CVEs that affect that platform.
Finding a Hacking Tutorial
Script kiddies will need a hacking tutorial. Fortunately for them, they only need to select the CVE they want and look for a tutorial over the Internet. Let’s see how easy this is.
At the time of writing this Script Kiddies post, a huge vulnerability has been published that affects Apache Log4j, a common framework to log what software is doing used in many Java programs. Since there are many programs running with Java, and the vulnerability allowed to gain control of the system, it was a significant blow to many companies. Also fixing this vulnerability is not easy, because often companies don’t know exactly which pieces of their software use their module. This vulnerability is detailed in CVE-2021-44228.
Then, script kiddies only need to search “CVE-2021-44228 exploit” and they will find step-by-step guides on YouTube. In literally 5 seconds, this is what I found.
Are Script Kiddies Dangerous?
Some people think that script kiddies are not dangerous because they can target only systems with known vulnerabilities. But they will be wrong. True, they can target only systems with known vulnerabilities, but those aren’t few or rare. There are many old systems out there that script kiddies can take advantage of, and some of them can be even critical.
Sure, real hackers are way more dangerous than script kiddies, but this doesn’t mean script kiddies aren’t dangerous. They are like kids playing with the red button for a nuclear strike, not knowing or controlling where the strike will hit. This doesn’t mean that the hit will be painful.
Script kiddies can encrypt all the data in a hospital, stop a factory or potentially even an oil drilling site, crash the underground transport system, and more. This does not only depend on their skill (or lack thereof), but also on how updated and secured is the target system. Sadly, it often isn’t well protected.
Script Kiddies in Summary
In this brief post, we answered “Who are Script Kiddies?” and checked how easy it is for potentially anyone to become one of them. However, becoming a script kiddie shouldn’t be anyone aspiration.
If you are passionate about technology, you should strive to become a real hacker – not a script kiddie – and put that skill into good use (and not for illegal reasons). If you are interested in this path, try to start learning how to hack IP addresses in this guide.