18

When I think of a script kiddie I think of someone who might barely research a tool then point it at a website - things like the recent question about LOIC come to mind when I think of that. A hacker (either black/white/grey), I imagine, is much more methodic and plans his route - they're running this system, with that IDS, and these security measures - so their attack is hopefully more pinpointed, less noisy, and more effective.

What I'm having trouble with is distinguishing between the two - a script kiddie might use metasploit, Cain & Abel, or Nessus, but a hacker or pentester would probably use them as well. What distinguishes these two? I know the script kiddie most likely won't know what's going on, but to what extent does the hacker need to know what's going on to not be considered a 'script kiddie'?

For example I like security and I am really interested in learning about it. I know about various tools such as metasploit, nessus, cain, hamster/ferret, wireshark, nmap, LOIC, etc. but I don't use them because I don't know how, or quite understand how exactly they work. I've been setting up a network of VMs to play with and do it responsibly. If that's considered being a script kiddie, what would be the defining line between a script kiddie and a hacker?

Anders
  • 64,406
  • 24
  • 178
  • 215
cutrightjm
  • 1,714
  • 4
  • 18
  • 31
  • 11
    Why does it matter? Would their title make you treat them differently? For example, when building a threat model or risk profile, it is helpful to classify the threat agent according to the level of required skill. Calling a low-skilled, untargeted attacker as a "script kiddie" (or "skiddie") is a nice shorthand that gets the point across, but it doesnt really matter if we call them that, or decide that "Shetland Ponies" are the new euphamism. Laws don't apply differently to Ponies, nor would you implement countermeasures only for Ponies (or non-Ponies). Seems NC to me, so what does it matter? – AviD Apr 16 '13 at 07:08
  • 1
    A lot of organizations fingerprint threats by a lot of different metrics. If all of the attacks you see from one of those threats is straight out of tutorials you can find online, this is useful information to have. From a security standpoint, it doesn't change anything, but from a triage and "What do I need to do right this second" it makes a lot of difference. –  Apr 16 '13 at 14:33
  • One has a pretty good idea of what they are doing. The other does not. – Steve Apr 15 '13 at 23:13
  • Script-kiddies are not hired by governments or criminal syndicates; as they lack adaptability in the field. Regarding "hacker" terminology - Yes, the media co-opted the term; get over it. People self ascribing as hackers don't own the term. And frankly this sort of sub-cultural snobbery masks hobbyist apologism for how these skills can be used. – LateralFractal Oct 14 '14 at 23:51

6 Answers6

21

It really depends on your point of view.

From the outside, the "script kiddie" is, nominally, the wannabe attacker who uses tools written by other people (the "scripts"), without really understanding what is going on. Everybody uses tools written by other people (if only operating systems, C compilers, libraries...), but some people have a certain understanding of how things work internally, and could, at least potentially (if free time was free), rewrite these tools from scratch.

The script kiddie himself does not think of himself as a "script kiddie", of course. In his view, he is an "elite hacker", and the other people are script kiddies. The expression "script kiddie" is meant as a disparaging designation, to insist on the alleged youth of the individual and its associated inherent shame. To consider youth as shameful by nature, you have to be young. Old people don't think of youth as a disgusting fact to hide, but as a lost treasure. When somebody uses the expression "script kiddie" too often, you can often infer that this somebody is himself not very old, and a metaphorical scripty smell probably lingers around his person.

A more neutral, less emotionally charged classification would be about competence. Attackers are more or less competent at what they do. Just like anybody. The less competent attackers, which other script kiddies are prone to point out and mock as "script kiddies", will run their tools (collected on the Internet), and if the off-the-shelf tools don't succeed in the attack, they soon give up. More competent attackers will adapt their tools to the specific situation; they see the tools more as a generic framework for attacks than the actual instruments.

Given the above, to avoid being seen as a script kiddie, the trick is to distantiate yourself from the kiddie term, not from the script. Scripts, and, more generally, tools, are neutral. It is the maturity of your reactions, or lack thereof, which will mark you as a script kiddie or not. Despite what is usually believed on the subject, it has very little to do with technical skill; it is a matter of communication, of public relations. Be cool, don't whine, and you will never be a script kiddie.

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
  • 2
    I've heard some people describe themselves as currently being just scriptkiddies actually. They used some tools, but knew that they didn't understand it and knew the term for it. It's not merely a disparaging designation. – Luc Apr 16 '13 at 08:03
  • @Luc A script kiddie is also someone who believes they are 1337 h4x0rz. If someone admits that they do not understand how something works, they are probably not script kiddies, just novices. Now if, on the other hand, they considered themselves experts who were oh-so-cool and tried to show off at any opportunity, they would much more squarely meet the qualifications required to be a script kiddie. – forest Feb 16 '18 at 05:43
  • 1
    All in all, a script kiddie is a novice hacker with a heavy dose of Dunning–Kruger. – forest Feb 16 '18 at 05:50
12

I read somewhere, I forget where, they divided hackers into three levels of expertise.

The lowest level was Script kiddie. Script kiddies have very limited knowledge and almost no knowledge beyond the attack they are attempting. They may not completely understand the attack they are attempting. An example of this would be a person ARP poisoning a network with Cain, but the person does not know what ARP is or why the attack works. These people are likely to identify targets for the exploit they will try and if it does not work they will move on. Blind SQL Injections, for example, is a common real world example of a script kiddie. It is important to say that Blind SQL injections, or any attack a script kiddie might use, may be used by more advanced hackers. They are just a tool in the toolbox

I don't remember what the second level was called (lets go with Hacker)but this was a level of hacker that DID understand how and why attacks worked. They may write some security tools for themselves to use, and they may not know everything there is to know, but they are NOT a one-trick pony at this level.

The third level was called Elite Hacker. These people will understand all of the underlying mechanisms of their attacks, create new attacks, write some of their own security tools, and have a deep knowledge/experience when it comes to attacking computer systems. These people are more likely to be persistant and use 0day exploits.

It is quite simple. As you get more tricks, understand more about how the computer works and how to get what you want, you become a better hacker. How you deal with someone like a script kiddie is completely different than how you deal with an elite hacker. Frustrating a script kiddie may cause him to go to the next website on his hit-list, but an elite hacker may require more resources and more time. It is hard to lump people into groups, since all people are so different, but I think these three categories do a pretty good job

  • 2
    This mirrors what my own attempt would have been. There's a distinction between people who can replay existing attacks, write implementations of existing attacks, and invent new attacks. – Stephen Touset Apr 15 '13 at 23:44
  • I think you may be referring to my answer on Quora: http://qr.ae/I17KX (I'm not the most-proud of this, since I don't think the distinction is particularly valid) – bonsaiviking Mar 04 '14 at 20:33
  • No I wasn't. As far as I can tell, I posted this before you posted that on quora. –  Mar 04 '14 at 23:25
  • Well, I'm glad we are serving as Urban Dictionary now. Whatever would I have done without a suitable label for the guy kicking down my cyber front-door? – LateralFractal Oct 15 '14 at 01:03
5

Wikipedia on Script kiddies (emphasis mine):

In hacker culture a script kiddie or skiddie, (also known as skid, script bunny, script kitty,) are unskilled individuals who use scripts or programs developed by others to attack computer systems and networks and deface websites. It is generally assumed that script kiddies are juveniles who lack the ability to write sophisticated hacking programs or exploits on their own, and that their objective is to try to impress their friends or gain credit in computer-enthusiast communities. The term is typically pejorative.

So in short, they're a clueless nuisance which may still cause harm, be that on purpose or by accident.

Concerning the term "Hacker", there is a lot of ambiguity. My personal preference is the programmer subculture (again emphasis mine):

A hacker is someone who loves to program or who enjoys playful cleverness, or a combination of the two. The act of engaging in activities (such as programming or other media) in a spirit of playfulness and exploration is termed hacking. However the defining characteristic of a hacker is not the activities performed themselves (e.g. programming), but the manner in which it is done: Hacking entails some form of excellence, for example exploring the limits of what is possible, thereby doing something exciting and meaningful. Activities of playful cleverness can be said to have "hack value" and are termed hacks (examples include pranks at MIT intended to demonstrate technical aptitude and cleverness).

So that may also include someone who e.g. modded their smartphone into a garage door opener (at least for them it'd be exciting, I guess). What you are probably referring to, however, is more precisely called a Black hat hacker (and again, emphasis mine):

A "black hat" hacker is a hacker who "violates computer security for little reason beyond maliciousness or for personal gain" (Moore, 2005). Black hat hackers form the stereotypical, illegal hacking groups often portrayed in popular culture, and are "the epitome of all that the public fears in a computer criminal". Black hat hackers break into secure networks to destroy data or make the network unusable for those who are authorized to use the network.

So that's someone who actively seeks to harm others for selfish purposes, and they are clever enough to actually understand what they are doing.

In summary:

  • Script kiddies are like school bullies: Annoying but clueless
  • Black hat hackers are the mobsters: Bullies gone professional
  • Hackers in general: They just like wearing a pinstripe suit - that doesn't make them evil, but the public always thinks of their black sheep cousins...
Tobias Kienzler
  • 7,578
  • 10
  • 43
  • 66
4

You're talking about classifications that humans make, not some objective measurement of skill. When does someone become old? When is someone tall? Ask 50 people and you'll get a different answer for all of them.

Script kiddies are simply beginners in "hacking". Hackers are simply those with more experience. There is no single universally agreeable point where one transitions into another.

There is nothing wrong with being a "script kiddie" despite the negative connotations. Every beginner will always be one, because we're not born with a manual in our head. The difference is whether you wish to learn or not. Don't even bother thinking about these useless definitions while learning.

Peleus
  • 3,827
  • 2
  • 18
  • 20
  • 1
    I think that even though the terms used to describe them may be subjective and argumentative, the distinction between the two is still relevant beyond their definition. For example, I may want to know what level of knowledge to expect from a just detected attack attempt, and act accordingly. If I see an inexperienced script kiddie trying out common attacks, I might amuse myself for a while before acting on it. OTOH if I detected an experienced hacker patiently collecting my banners, and have problems detecting his other activities on my server, I will be closing the pipes on him ASAP. – TildalWave Apr 15 '13 at 23:37
  • While true - the question relates to the terms used to describe them, and specifically when does one transition into another. Your point of a more skilled attacker being more dangerous is self evident, it doesn't have any impact on whether they should be called a script kiddie or hacker. – Peleus Apr 15 '13 at 23:46
  • Agreed, and I was not disputing your answer. They're all hackers anyway, well -- or they're trying to be. One is a less experienced, less skilled subgroup of the other with same or similar intentions, so finding a clear line between the two will always prove difficult. Besides, when I detect any of the two anywhere near flags I defend, I tend to give them a lot less favorable nicknames anyway :)) Cheers! Oh, [found this](https://en.wikipedia.org/wiki/Hacker_(computer_security)#Classifications). Yey for Wiki! – TildalWave Apr 15 '13 at 23:52
  • Not every "hacker" is born as a script kiddie, they are born as a novice hacker. A novice hacker will download Kali Linux, try to read up how it works but not quite understand. They will try to learn more, and will admit they know little. With enough work, they may start to gather a better understanding of security. A script kiddie on the other hand will download Kali Linux, pop up hping3, try (and fail) to DoS a site, and proclaim when their own internet goes down that they are expert hackers to be feared and respected. – forest Feb 16 '18 at 05:49
2

I'd personally say that the difference between a script kiddy and a de-facto hacker does not lie in the tools used at all - merely in the motivation and innovation pulled off by the person. To this end, an example from my IRC NetAdmin days: every few days, we'd get a botnet fired at the network. So what? Easy to defend against, more of a nuisance than anything, really... Yet those people would keep going with the same tool, every single time, despite the numerous defenses that were custom-coded to avoid this (there's still an unrealIRCd mod around from that specific network).

They'd always keep going, though, with the same tool that was now defunct. You'd see bots connecting, not being able to join anything, disconnecting. They would never figure out any other way (or didn't want to), or maybe just did this without even monitoring because "hurr durr durr I bet they're shaking!".

A script-kiddy is a one-trick pony who discovered this trick and thought "I'm the master of the Universe!", usually. They know one thing that someone handed to them and probably consider it the gospel. You're lucky if they discovered pentesting tools - usually, all they know is LOIC & Cain&Abel and maybe the ripper. They may know how to exploit the simplest forms of SQL injection flaws/vulns, and they think they're awesome for it.

A hacker, on the other hand, has all this knowledge + the ability to chain attacks together + the motivation to do so + the skill to actually understand what they are doing. Most of the time, they're not doing it to feel awesome - they're doing it to prove a point.

Sébastien Renauld
  • 685
  • 3
  • 8
-2

More for the sake of introducing a potentially new perspective than anything else, I might argue that the difference lies in the motivation of the "attackers." I'll use @Rell3oT 's 3-type system, because it seems fairly straightforward.

A "script kiddie" will run attacks for purposes of validation - from himself or from others. He wants to think he's "cool", so he'll generally wreak havoc in hopes that he'll garner some respect.

A "hacker" might be looking to make an easy buck, learn something, or just have a bit of fun. Either way, he has a specific objective in mind. With the exception of the people who want money, hackers are generally looking for a challenge, and may overstep their bounds doing so. The more materialistic hackers are really just knowledgeable script kiddies, but the way they structure their attacks changes with their objectives - as @Tobias says, they're really more like thugs now, rather than bullies.

A "professional hacker" (not sure if "elite" is the right word) is someone who understands how each of a systems work, and generally seeks to "play around" with either specific systems or how they interact to form a whole. This may or may not result in the publishing of an exploit (depending on the hacker's motivations). This section is a bit sparse, because I haven't met enough of these people to claim to really understand them.

KnightOfNi
  • 2,247
  • 3
  • 18
  • 23
  • I've been a skiddie (and I've known skiddies) with particular goals rather than just looking cool. I know (pro) hackers who like the validation of looking cool. And particularly the bit about having a specific objective, I'd say the hacker and pro hacker is reversed more often than not (though not always). I'm not sure any of the assumptions/generalizations made here are true at all. – Luc Feb 09 '18 at 20:45