Is there really such a thing as "script kiddies"?

Question

All my life, well, at least since the late 1990s, I've heard of this concept of "script kiddies". Allegedly, it's a term to refer to young kids or teenagers who, apparently, are somehow able to find "proof of concept" pre-coded exploit scripts of some kind, and proceed to download these to their own computers where they run them on some target website (or other server), hoping that they are unpatched/vulnerable, and, as a result, gain access to this server/computer/system.

Is, or was, this really a thing?

I was an extremely lonely "nerd" with tons of anger and frustrations. I actively looked for all kinds of sketchy stuff. But I never found anything like what I described above. I don't believe it exists. I don't buy that there is such a thing as a "script kiddie".

Either that or I really was a lamer who couldn't even find a pre-written script to run.

To me, it seems like "script kiddie" is a made-up concept. I don't believe that it's as simple as running a simple script to break into a system, and I don't believe that such a script would be published in public in a way that makes "kiddies" able to find and use them.

I think the term was coined by annoyed system administrators whose systems had been compromised, and rather than blaming themselves, the developers or "actual intruders", they make up this idea (possibly after watching the movie "Hackers") of there being a bunch of little annoying early teenage kids sitting there mindlessly running scripts which cause havoc.

Basically, if it had been that easy to "auto-hack" systems, this would've been abused far more often and automated long ago. I recognize that I'm not the smartest person in the world, and that there are extremely smart 14-year-olds, but I don't "buy" this whole concept. I think the "script kiddie" is a nonexistent scapegoat.

It's much easier to blame "those darn kids who don't even know how to code" than admit that you were accepting any username/password to your world-facing database due to an embarrassing misconfiguration.

Answer 1

You misunderstand what it means to be a "script kiddie".

A "script kiddie" is someone who uses pre-existing tools without understanding how to use them properly, what they do under the hood, and what their goal is. Let's take an example:

Alice, the Hackress

Alice has been a hacker for many years. She is hired to do an internal security assessment for ACME Corp. She begins by doing some passive reconnaissance, then moves over to doing some port scans. She identifies that there are some Windows XP hosts running some antique accounting software. Naturally, she launches Metasploit and checks if the host is vulnerable to Eternalblue. It is, and she (ab)uses this to gain SYSTEM privileges on this host. From there, she tries to gather some credentials of other users. She finds that an Administrator previously logged into the machine - probably to set up that ancient software - and didn't wipe his cached credentials. It's an LM hash, so very easy to crack. She launches hashcat to crack the LM hash, and within seconds she knows the password of a privileged domain account.

Bob, the Script Kiddie

Bob wants to be like Alice, so he googles how to become 1337. He downloads Kali Linux and launches every program he can find. He has rudimentary command line knowledge, so he mostly sticks to GUI wrappers of popular tools, like Armitage or Zenmap.

He then tries to become a real hacker by launching some videogame and using a tool he found online to see the IP addresses of those who play with him. He inputs them into Zenmap and gets no results - but doesn't understand why. He then inputs it into Armitage and just launches random modules, judging rather by what sounds cool than what makes sense, because Bob doesn't know what makes sense.

Armitage returns nothing, and Bob gets frustrated. Bob is a script kiddie.

What's the point?

Why do we even label people "script kiddie"? The reason is because there are people like Bob who want to pose as hackers, but don't understand any of the underlying concepts. Bob doesn't know what Authentication or Authorization mean, nor does he know what a Buffer is or why it would overflow.

We distinguish between these people because "real" hackers don't like "script kiddies". The reason is simply because they are annoying, are comparatively "loud" (as in "tool doesn't do what I want because I don't know how to read a manual") and they don't contribute anything meaningful.

Furthermore, "script kiddies" are used as the lowest possible threat level. If a vulnerability is so easy to exploit that even a "script kiddie" could do it, then you really have a problem.

Who is not a script kiddie?

Some people seem to think that anyone who uses pre-made tools to do anything is automatically a "script kiddie" and should be shunned. This is obviously wrong. Pre-made tools are extraordinarily useful, especially for "real" hackers. They take away the boring tasks that can be automated, and allows them to focus on the tasks that can't be.

Sure, I could write a program from scratch that does port scans, but why would I? I already have nmap, and it'll probably do a better job at it than I could within a few hours. Again, the difference between a hacker and a "script kiddie" in this case would be that a hacker understands what nmap does under the hood, and a "script kiddie" does not.

Were "script kiddies" ever a real thing?

Yes, and they still are. Even several decades ago, when phreaking was a thing, there were people who used the Captain Crunch whistle, but didn't understand what they do or how they worked. In essence, these were the "proto-script kiddies", as they abused a vulnerability using pre-made tools without knowing what they did.