In the hacking world, the term script kiddie is used in a derogatory sense to refer to a clueless novice. Literally, the term means someone that uses the scripts (code) of others because they are unable to program themselves. While condescending, there is truth to the fact that inexperienced hackers use someone else’s code.
One of the best places to look for hacking scripts is on the deep and dark web. On underground forums, actors share all sorts of introductory hacking tools that can help an aspiring threat actor being their journey. Very often, these tools are bundled into what are known as cracking packs or hacking packs—large directories that include several up to a few dozen hacking tools.
Generally, these packs are shared for free (hosted on an underground filesharing site) or sold for a nominal fee. Sometimes they are grouped by a theme, such as account takeover or carding. Furthermore, they often include tutorials, which explain how to use the tools and also, how to conduct a specific social engineering scheme.
How many and what?
We identified 122 unique cracking packages shared on underground forums since the beginning of 2022. Many of these appear to be repackaged, that is, that actors mix and match tools from other packs to make their favorite thematic “playlist.”
Most of the identified packs do not have a specific focus, instead containing tools that target a wide variety of services. Beyond these, the most popular topics are packs containing exclusively tutorials, and then those targeting social networks, gaming, and containing RATs.
The cracking packs target the most popular services. Big brands such as Netflix, Amazon, Spotify, Facebook, Instagram, Twitter, Discord, Telegram, WhatsApp, and Steam are almost ubiquitous among them. Credential stuffing, carding, and cashout tools and methods are also popular, as attackers that want to take over a financial account will need to know how and then what to do if they succeed.
Let’s take a look at some examples.
In this pack, known simply as “Master Hack Pack,” one can find 80 items, including tools and tutorials for cracking platforms such as Netflix, Whatsapp, Instagram, Amazon, Walmart, and PayPal. Altogether, the list seems rather scattershot; the tools contained in this pack are not exactly complementary pieces in a single attack, rather, they all target immensely popular services. However, considering that every beginner wants to build a strong reputation, this pack’s promise of giving the ability to target these services seems rather appealing.
In this post, an actor shares their “Private Cracking Pack.” Similarly, it includes tools for carding and account takeover:
The tool displayed below is actually a cracking pack in a single application. It contains 22 different features: file tools (file cutter, file joiner), combo tools (combo splitter, password modifier, email splitter, username scraper), dork tools (dork generator, dork maker, dork checker, dork scanner), list tools (list duplicate remover, list randomizer, list sorter), proxy tools (proxy scraper, proxy checker), hash cracker (MD5 cracker online, hash cracker offline), custom configs, account cracker. Altogether, it is a Swiss Army Knife for novice hackers.
Finally, this “Ultimate Hackpack” contains a menu of tools for carding, network hacking, phishing, spamming, and even malware and ransomware. All of these tools are available in a free download link at the end of the post.
Very importantly, this post contains hundreds of comments. This indicates two things. First, that this pack was widely consumed and used. And second, it is confirmation that the tools are viable in the first place.
It is important to pay attention to the many cracking packs circulating on the underground. These tools are in the hands of countless threat actors. Analyzing what they target sheds light on what threat actors are motivated in attacking. And examining how they function reveals the capabilities available to the masses of threat actors.
As these cracking packs are generally distributed for free download, it is also easier for a malware analyst to get their hands on one for investigation relative to a sample of a malware-as-a-service, which could cost hundreds of dollars. For defenders, these are treasure troves of knowledge about adversarial intent and TTPs.
While beginner hackers do not receive the respect of advanced crime groups and APTs, they must be considered in any organization’s threat model. While limited in skills, they are plentiful in numbers and generally unencumbered by the fear of being detected. This mass recklessness enables them to inflict death by a thousand papercuts.
And finally, script kiddies grow up. Some of today’s consumers of cracking packs will later be writers of their own malicious scripts and perhaps in the future, members of advanced crime groups. These tools are indeed their first step of their journey in the hacking world.