(CTF) hydra returns false positives when doing a brute force attack to find a password from a dictionary.

Hello, First, sorry if I sound very ignorant. I'm a former Python dev just getting into hacking with an interest in pentesting. I'm currently studying for the A+ certification and I'm planning to go all the way to CEH. ​ Now, my "error". Okay, so, to challenge myself I've decided to try on a popular CTF : Mr.Robot (which I found on vulnhub). I'm at the part where I'm trying a brute force attack to find the user Elliot's wordpress password from a dictionary (which does contain the correct password). On my terminal, I type the following command : hydra -l Elliot -P fsocity.dic 10.35.1.11 http-post-form "/wp-login.php:log=\USER^&pwd=^PSWD^:The password you entered for the username Elliot is incorrect." -t 30) The correct password is supposed to be ER28-0652. But hydra returns a lot of false positives, and no sign of the correct password. (check the attached screenshot to see the terminal) ​ What am I doing wrong? How could I fix the issue? Again, sorry for sounding ignorant (I am). Thank you! ​ Hydra returns false positives when trying to brute force a wordpress's password on a vulnerable server. submitted by /u/No-Nail-7227 [link] [comments]

from hacking: security in practice https://ift.tt/ubMtX7L