Skidstorm – Why today’s hackers suck

In this article we will have a look at the info sec community and why so many of today’s hackers suck. Skids are nothing new. They are everywhere! They can be your neighbor, in your family, your class. No matter where you look, someone is a possible skid.

This article was inspired by this sad but revealing article “The Story of a Pentester Recruitment” published by Silent Signal, which gives a very good view on how bad things have become!

When I first started wandering into the offensive side of security I was not aware of the term “skid”. So before we move on with this article, I want to make sure everyone who reads this article understands what it means. Let’s have a quick look at wikipedia’s description of a skid

In programming culture a script kiddie or skiddie (also known as skid, script bunny, script kitty) is an unskilled individual who uses scripts or programs developed by others to attack computer systems and networks, and deface websites. It is generally assumed that script kiddies are juveniles who lack the ability to write sophisticated programs or exploits on their own, and that their objective is to try to impress their friends or gain credit in computer-enthusiast communities. The term is generally considered to be pejorative.

So what does this have to do with why today’s hackers suck? The answer is, they are almost all skids! I have been hanging around on forums and other communities for a few years, and what I see the most is

  • → Copy & pasted tutorials (without credits to the original author)
  • → Low Quality content
  • → Tutorials on basic stuff but always labeled as “advanced”
  • → Questions like “how to hack [social_network] accounts?”

In general, all I see is people wanting to be hackers but they don’t want to learn shit themselves. Everyone is looking for that one tool to rule them all. I rarely see any new research, new methods, new ways to do old things, etc. One of the reasons why I think this is happening is because hacking has become a trend. Kids grow up reading about groups like Anonymous and they wanna be just like them. After news about Anonymous started years ago, hacking became mainstream. Something all the “cool kids” were doing. The problem is that this generation isn’t really interested in hacking or learning. They are interested in bragging to their friends. They want to be super 1337 h4x0rz without even breaking a sweat. They download tools, install Backtrack or Kali in a VM and run sqlmap, wpscan or whatever. The second they manage to dump a database or brute force a WordPress log in they feel like elite “cyber warriors”, and with the power of the tools they feel invincible.

For example, if you ask someone to perform a manual SQL injection, many will attempt to add a single or double quote to the parameters, and if nothing happens, or the [insert_tool_here] fails to detect a vulnerability, they will be saying “this is secure”. Why is this? To understand why, we need to do some quick research. Let’s see what pops up when we search for “advanced sql injection”

Google search "advanced sql injection"

The first two results are from trusted sources. The first hit is from the Mantra forums. Mantra is a project from OWASP. Second hit is from Trustwave’s SpiderLabs. The problem here is that none of those are advanced SQL injections. The first one is as basic as it can get, and the second one is about how to use the tool sqlmap. Even though the SpiderLab’s tutorial is a bit more difficult than the first, it’s still fairly basic.

Why do I think this is happening? In older days, way before my time, there was not a lot of tools and access to tutorials were limited. The people involved in the info sec industry actually had to learn everything the hard way. They had to take everything apart, dissect programs and deliberately mess up the configuration for services and machines to understand how things were actually working. They had to think for themselves. Today this has changed. We have easy access to information, and we have tools for everything. Really, we’re spoiled,.

Now, we don’t need to know anything about computers or the web to hack a website. Enter a URL and press a button. Tools like sqlmap, wpscan, w3af, zap, etc are all handy, I won’t deny that, but they are not perfect, so manual work is always required as well.

A well trained human brain will always beat the tools!

Here’s a small story explaining exactly what I mean with that statement

A while back I wanted to do a small test. So I created an SQL injection challenge, fairly simple one, and I made it public. I was monitoring the logs, and talking with some of the people who were actively working on solving it. One of these persons were trying to solve the challenge using sqlmap, the person were using it in more advanced ways, including the use of tamper scripts. At one point the person had 4 instances of sqlmap running simultaneously, all running with different configurations. This person spent several days trying to solve it, without success. Then another person joined in, and within 30 minutes this person had solved the challenge manually!

Now, how is that possible? I mean, sqlmap is the leading sql injection attack and exploitation tool. This is because, a tool has a set of payloads, which is created by humans, and it will only run those. This will work in many, if not most, cases. While this is all good, a person is able to adapt much more to the behavior of a website, and different filters, and tweak and fine tune the payloads.

So what am I really trying to accomplish with this post? I guess I am trying to create a discussion on how to change this trend, or at least how to make a difference for those of us who’s hungry for information and not in it for bragging.