Security Experts:

Connect with us

Hi, what are you looking for?



Help! I Think my Kid is a Script Kiddie

As a security guy I sometimes have friends and relatives asking me for professional advice, like “I lost my iPhone, can you help me look for it?” or “How do I delete my browser history, you know, in case my wife checks up on me?” It’s not easy being a technical wizard amongst the masses.

As a security guy I sometimes have friends and relatives asking me for professional advice, like “I lost my iPhone, can you help me look for it?” or “How do I delete my browser history, you know, in case my wife checks up on me?” It’s not easy being a technical wizard amongst the masses.

The other day the mother of one of my daughter’s friends confessed her concern about her son being “one of those Anonymous hackers”. She mentioned that her son was very much an introvert, a habitual gamer and hung around with other kids (all guys) who seemed to be just as geeky.

Script Kiddies HackingAfter some additional questions, I was thinking her kid was probably a simple script kiddie (or skiddie, skid, script bunny, and script kitty) instead of a serious hacker.

Having made the mom feel a bit better, I found myself wandering the Internet to see if I could dig up some thoughts and impressions on script kiddies.

My first stop was Wikipedia: “A script kiddie … is a derogatory term used to describe those who use scripts or programs developed by others to attack computer systems and networks and deface websites.”

No One Likes a Script Kiddie

There seemed to be a lot of agreement with Wikipedia on the fact that no one likes or respects script kiddies, except maybe other script kiddies. Phrases like “… little or no personal knowledge of hacking …”, “… giving hackers a bad name …”, and “… immature forms of vandalism …” continued to be repeated over and over again (wiseGeek).

I was lucky enough to find a July, 2000 article by Robert Lemos where interviews of several script kiddies produced some very enlightening quotes from the kids themselves:

“It’s a way to escape a lot of the bullsh*t that I get in real life,” … “Because I don’t have that much going on in my life.”

“My dad just said, ‘now’ … that’s when I gotta get leaving.”

“The world we live (in) … everything is the same, so incredibly boring. I feel if I deface, at least, I’m making some kind of difference.”

“I’ll continue defacing, not as much as I used to, but I will be around.”

“Never deface any site in your own country or give information about yourself over the Internet.”

“Be nice, always, so no one will hate you.”

The kids in these interviews appeared to be young (still living at home?), bored and seemingly without a solid direction in their lives.

Website Tagging – An Internet Game

One of the more interesting script kiddie characteristics I found was their apparent need to gain recognition amongst their peers by ‘tagging’ websites they hacked. Tagging comes in the form of either pointless defacing of the site itself (inserting an obnoxious page into the site) or secretly inserting ‘graffiti’ text into the website code in places where only other script kiddies will come across it (this is called ‘web cracking’). Like legitimate video game players, script kiddies keep track of points “won” with each website successfully breached.

Botnets for Fun and Profit

While script kiddies have not gotten any more sophisticated over the years, the tools they use for hacking certainly have. Even with these very powerful tools it is good to note the majority of the disdain that ‘real’ hackers have for script kiddies is the fact that they use these ‘canned’ tools in perfunctory ways, without skill or creativity.

The use of these easy to use tools brings up another script kiddie obsession – the building of large botnets that can be used for malicious purposes. Botnets are complex systems of zombie computers – PCs that have been hacked and infected with silent robot (bot) programs.

A bored script kiddie might take his botnet army of hundreds or thousands of bots and launch a Distributed Denial of Service (DDoS) on an unsuspecting commercial or government website, just for the glory it might grant him or her. Any commercial damage to the site would just be collateral damage that resulted from the botnet joy ride.

Script Kiddie Training Ground

It seems the best place for a script kiddie to learn the trade of Web hacking is from the Web itself. A simple Google search on ‘web cracking’ turned up a large number of sites whose only goal is to teach script kiddies how to use tools and techniques for cracking.

One of the best training sites was The Crack Hack Forum. Its many forms are written in a DIY style – with obvious titles like:

• Web Cracking Tools: Need a certain tool to crack a file hosting or web login? Check here, we might have it.

• Web Cracking Tutorials: Trying to learn how to crack? Check out our big section of tutorials where we teach how to use tools to crack file hosting and other web logins.

Another site, calling itself the Computer Security Group, is an obvious play on the very prominent, real Computer Security Group that produces tools to fend off web attacks. Among other features, the hacker version of the Computer Security Group site contains a blog that features information for the script kiddie looking for an education:

• How to Hack Facebook

• Webbackdoors, Attack, Evasion and Detection

• 2011 – Best Password Hacking Breaking Tools

You can also sign up for the Computer Security Group newsletter, ‘Subscribe & Don’t Miss a Free Hacking Course’.

If all of these training sites weren’t enough, script kiddies can always turn to YouTube. Not only do newbies get a hacking education, but the pros get to promote themselves to the top of the hacker pecking order. Just a few of the many videos would include:

• Cracking Wireless Networks: 2,119,260 views

• How To Get Into Locked Wifi Without A Password: 880,593 views

Note the sheer number of people who found these videos interesting.

Heroes of the Script Kiddie Underworld

No sub-culture is without its heroes. Two of the more infamous members of script kiddie history gained their notoriety by the massive impact they had on the Internet as well as the fact that they used tools and examples created by real hackers.

• Michael Calce (aka Mafia Boy) – Calce was a Canadian high school student when arrested for causing an estimated $1.2 billion in damage to sites such as Yahoo!, Dell, eBay, and CNN. Calce’s expensive pranks were done using downloaded tools to launch Denial of Service (DoS) attacks.

• Jeffrey Lee Parson (aka T33kid) – Parson, 18-year-old high school student from Minnesota, was arrested in 2005 and the cause of the infamous Blaster computer worm. All Parson did was make a few modifications on an existing computer worm program with a simple hex editor.

While I couldn’t find any documented correlation between script kiddies and hard-core video gamers, I couldn’t help but draw my own, uneducated comparisons. It is not unreasonable to think of the Internet as one heck of a computer game; one where the stakes are higher (arrest perhaps) and the rules far more fluid – just the thing for a bored kid with access to the Internet.

Like any well-established sub-culture, the world of script kiddies is fascinating to watch, difficult to fully understand from the outside and obviously intriguing to those within that world.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...