Why hydra doesn't return a valid username&password with a valid supplied username&password

I'm just trying out hydra on OSX Yosemite, installed with brew

brew info hydra hydra: stable 8.0 (bottled), HEAD https://www.thc.org/thc-hydra/ /usr/local/Cellar/hydra/8.0_1 (14 files, 1.2M) * Poured from bottle From: https://github.com/Homebrew/homebrew/blob/master/Library/Formula/hydra.rb ==> Dependencies Build: pkg-config ✔ Required: openssl ✔ Optional: libidn ✘, libssh ✘, pcre ✔, gtk+ ✘ ==> Options --with-gtk+ Build with gtk+ support --with-libidn Build with libidn support --with-libssh Build with libssh support --with-pcre Build with pcre support --HEAD install HEAD version 

to test html form post, it is this case.

I have php file running with apache web server named 'index.php' as following:

<?php $login = 'admin'; $password = 'r00t'; ?> <html> <head> <title>PHP Form Auth</title> </head> <body> <?php if (isset($_POST['go_field'])) { if ($_POST['login_field'] == $login && $_POST['password_field'] == $password) { echo 'Logged in'; } else { echo 'Error'; } } else { ?> <form method="POST"> <input type="text" name="login_field" /> Login <br /> <input type="password" name="password_field" /> Password <br /> <input type="submit" name="go_field" value="Login" /> </form> <?php } ?> </body> 

It is running on my machine, that is at

http://localhost/security/3/php/index.php 

Basically, it's a html form that prints out 'Logged in' string if login is succeed, otherwise it prints out 'Error' string.

I have tested using user:admin password:r00t in browser, it said 'Logged in'. And I use failed credential, it said 'Error'

However, with hydra I tried:

hydra -l admin -p r00t localhost http-post-form "/security/3/php/index.php:login_field=^USER^&password_field=^PASS^&go_field=Login:Error"

I got this output:

Hydra v8.0 (c) 2014 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2014-12-03 21:58:40 [DATA] max 1 task per 1 server, overall 1 tasks, 1 login try (l:1/p:1), ~1 try per task [DATA] attacking service http-post-form on port 80 1 of 1 target completed, 0 valid passwords found Hydra (http://www.thc.org/thc-hydra) finished at 2014-12-03 21:58:41 

I'm not quite sure where I was wrong. Could anyone notice or suggest me?

The following is http headers when I use http form post with browser:

POST /security/3/php/ HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:33.0) Gecko/20100101 Firefox/33.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/security/3/php/ Cookie: __vjstorage=%7B%7D Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 52 login_field=admin&password_field=r00t&go_field=Login

After I tried to construct those headers into hydra, I issue:

hydra -v -V -l admin -p r00t -s 80 localhost http-post-form "/security/3/php/index.php:login_field=^USER^&password_field=^PASSWORD^&go_field=Login:Error:H=Host: localhost:H=User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:33.0) Gecko/20100101 Firefox/33.0:H=Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8:H=Accept-Language: en-US,en;q=0.5:H=Accept-Encoding: gzip, deflate:H=Referer: http://localhost/security/3/php/:H=Cookie: __vjstorage=%7B%7D:H=Connection: keep-alive:H=Content-Type: application/x-www-form-urlencoded:H=Content-Length: 52" 

Output

Hydra v8.0 (c) 2014 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2014-12-05 17:33:10 [DATA] max 1 task per 1 server, overall 1 tasks, 1 login try (l:1/p:1), ~1 try per task [DATA] attacking service http-post-form on port 80 [VERBOSE] Resolving addresses ... done [ATTEMPT] target localhost - login "admin" - pass "r00t" - 1 of 1 [child 0] [STATUS] 1.00 tries/min, 1 tries in 00:01h, 1 todo in 00:01h, 1 active [STATUS] 0.50 tries/min, 1 tries in 00:02h, 1 todo in 00:01h, 1 active [STATUS] 0.33 tries/min, 1 tries in 00:03h, 1 todo in 00:01h, 1 active 

It doesn't seem work.