Introduction
In this lab, you will learn how Hydra handles interrupted attacks and how to resume them effectively. We will simulate an interrupted Hydra attack against the SSH service on localhost by creating simple username and password lists, launching an attack, and then manually interrupting it using Ctrl+C.
This lab will then guide you through restarting the attack with the -R option and observing how Hydra handles restore files, followed by using the -I option in conjunction with -R to ignore restore files and ensure a fresh start. You will learn the difference between completed attacks and interrupted attacks in terms of restore file creation.
Create Test Files and Run Initial Attack
In this step, you will create the necessary test files and run an initial Hydra attack to understand the baseline behavior. This will help you understand how Hydra operates when attacks complete normally versus when they are interrupted.
First, navigate to your project directory:
cd ~/project
Now, let's create a simple password list. Use nano to create a file named passwords.txt in your current directory:
nano passwords.txt
Add a few common passwords to the file, one password per line. For example:
password
123456
qwerty
Save the file by pressing Ctrl+X, then Y to confirm saving, and Enter to confirm the filename.
Next, let's create a simple username file. Use nano to create a file named users.txt in the same directory:
nano users.txt
Add a single username to the file:
root
Save the file and exit nano using the same steps as before.
Now, let's run a complete Hydra attack to see the normal behavior:
hydra -V -L users.txt -P passwords.txt localhost ssh
Let's break down this command:
-V: Enables verbose mode to show detailed attack attempts-L users.txt: Tells Hydra to use theusers.txtfile for usernames.-P passwords.txt: Tells Hydra to use thepasswords.txtfile for passwords.localhost: Specifies the target host aslocalhost.ssh: Specifies the service to attack as SSH.
You should see output similar to this:
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-05-30 09:56:06
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 3 tasks per 1 server, overall 3 tasks, 3 login tries (l:1/p:3), ~1 try per task
[DATA] attacking ssh://localhost:22/
[ATTEMPT] target 127.0.0.1 - login "root" - pass "password" - 1 of 3 [child 0] (0/0)
[ATTEMPT] target 127.0.0.1 - login "root" - pass "123456" - 2 of 3 [child 0] (0/0)
[ATTEMPT] target 127.0.0.1 - login "root" - pass "qwerty" - 3 of 3 [child 0] (0/0)
1 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-05-30 09:56:09
Notice that when the attack completes normally, Hydra does not create a restore file. Restore files are only created when attacks are interrupted.
Simulate an Interrupted Attack
In this step, you will simulate an interrupted Hydra attack to create a restore file. This is necessary because Hydra only creates restore files when attacks are interrupted, not when they complete normally.
To create a longer-running attack that you can interrupt, let's expand your password list. Open the passwords.txt file again:
nano passwords.txt
Add more passwords to make the attack take longer:
password
123456
qwerty
admin
root
test
guest
user
login
pass
secret
Save the file and exit nano.
Now, launch the Hydra attack with a slower timing to make it easier to interrupt:
hydra -V -L users.txt -P passwords.txt -t 1 -W 2 localhost ssh
The additional options are:
-V: Enables verbose mode to show detailed attack attempts-t 1: Use only 1 task (slower execution)-W 2: Wait 2 seconds between connection attempts
IMPORTANT: While the attack is running (you should see Hydra trying different username/password combinations), press
Ctrl+Cto interrupt it after a few attempts.
You should see output similar to this:
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-05-30 10:00:00
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 1 task per 1 server, overall 1 tasks, 11 login tries (l:1/p:11), ~11 tries per task
[DATA] attacking ssh://localhost:22/
[ATTEMPT] target 127.0.0.1 - login "root" - pass "password" - 1 of 11 [child 0] (0/0)
[ATTEMPT] target 127.0.0.1 - login "root" - pass "123456" - 2 of 11 [child 0] (0/0)
^C
[ERROR] Received signal 2, going down ...
The session file ./hydra.restore was written, you can resume with: hydra -R
The ^C indicates that you interrupted the process, and importantly, you should see a message about the restore file being written.
Restart with -R and Observe Behavior
In this step, you will restart the interrupted Hydra attack from the previous step using the -R option. This option tells Hydra to resume the attack from where it left off using the restore file.
To restart the attack, execute the following command in your terminal:
hydra -R
This command uses only the -R option:
-R: Tells Hydra to resume a previously aborted or crashed session using the restore file.
Observe the output. You should see that Hydra reads the restore file and continues from where it left off:
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
[INFORMATION] reading restore file ./hydra.restore
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-05-30 10:05:00
[DATA] max 1 task per 1 server, overall 1 tasks, 9 login tries (l:1/p:9), ~9 tries per task
[DATA] attacking ssh://localhost:22/
[ATTEMPT] target 127.0.0.1 - login "root" - pass "qwerty" - 3 of 11 [child 0] (0/0)
[ATTEMPT] target 127.0.0.1 - login "root" - pass "admin" - 4 of 11 [child 0] (0/0)
...
Notice that Hydra resumes from where it was interrupted (in this example, starting with "qwerty" as the 3rd attempt) rather than starting from the beginning.
Use -I to Ignore Restore Files
In this step, you will use the -I option to ignore existing restore files and start a fresh attack. This is useful when you want to restart an attack from the beginning, regardless of any previous session data.
First, let's try using -R when no restore file exists to see the error:
rm -f hydra.restore
hydra -V -R -L users.txt -P passwords.txt localhost ssh
You should see an error message:
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
[INFORMATION] reading restore file ./hydra.restore
[ERROR] restore file (./hydra.restore) not found - No such file or directory
Now, let's create a restore file again by interrupting an attack:
hydra -V -L users.txt -P passwords.txt -t 1 -W 2 localhost ssh
Interrupt it with Ctrl+C after a few attempts to create the restore file.
Now, execute the following command to ignore the restore file:
hydra -V -I -L users.txt -P passwords.txt localhost ssh
This command includes the -I option:
-I: Tells Hydra to ignore an existing restore file and not create a new one.
Observe the output. You should see that Hydra starts from the beginning, ignoring any existing restore file:
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-05-30 10:10:00
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 3 tasks per 1 server, overall 3 tasks, 11 login tries (l:1/p:11), ~4 tries per task
[DATA] attacking ssh://localhost:22/
[ATTEMPT] target 127.0.0.1 - login "root" - pass "password" - 1 of 11 [child 0] (0/0)
[ATTEMPT] target 127.0.0.1 - login "root" - pass "123456" - 2 of 11 [child 0] (0/0)
...
Notice that the attack starts from the first password ("password") regardless of the existing restore file.
Combine -I and -R Options
In this step, you will understand what happens when you combine the -I and -R options. This combination demonstrates how Hydra handles conflicting instructions.
Execute the following command:
hydra -V -I -R -L users.txt -P passwords.txt localhost ssh
This command includes both options:
-V: Enables verbose mode to show detailed attack attempts-I: Ignore existing restore files-R: Resume from restore file
You should see an error message similar to this:
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
[INFORMATION] reading restore file ./hydra.restore
[ERROR] restore file (./hydra.restore) not found - No such file or directory
This happens because:
- The
-Roption tells Hydra to look for a restore file - The
-Ioption tells Hydra to ignore restore files - When both are used together, Hydra still tries to read the restore file due to
-R, but if the file doesn't exist or is ignored due to-I, it results in an error
This demonstrates that -I and -R are conflicting options and should not be used together. Instead:
- Use
-Ralone to resume from a restore file - Use
-Ialone to ignore restore files and start fresh - Use neither to run a normal attack
Summary
In this lab, you learned how Hydra handles interrupted attacks and restore files. Key takeaways include:
- Restore files are only created when attacks are interrupted - Normal completed attacks do not generate restore files.
- The
-Roption resumes interrupted attacks - It reads thehydra.restorefile to continue from where the attack was stopped. - The
-Ioption ignores restore files - It forces Hydra to start a fresh attack, ignoring any existing session data. - Combining
-Iand-Rcreates conflicts - These options have opposing purposes and should not be used together. - Proper interruption is key - To test restore functionality, you must actually interrupt an attack with
Ctrl+C, not let it complete normally.
This understanding is crucial for managing long-running Hydra attacks in real-world scenarios, where you might need to pause and resume attacks or ensure fresh starts when needed.
