Tuesday, November 9, 2010

BlackSheep for Linux

BlackSheep uses compiled code to listen to HTTP traffic. These executables come straight from Firesheep. Firesheep ships with executables for Windows And MacOSX 10.5 (Intel) only, this is why the first release of BlackSheep supports these 2 platforms only.

The number one request I got was to support Linux. The good news is that it is now possible to run BlackSheep on Linux - though it does requires some work to setup.

Too Many Linux environments

The main challenge is that the back-end must be compiled on each possible environment: CPU (x86, x86_64), compiler (gcc 3, gcc 4), and also different versions of libpcap, etc. In the case of Firesheep and BlackSheep, it is not possible to deliver one add-on that would work on all Linux environment.

This means that each Linux user must compile their own version.


To make your own Linux version of BlackSheep, you need:
  • autoconf 2.61 or higher (autoconf -V)
  • libpcap-devel with pcap-config
  • xulrunner-sdk (or xulrunner-devel depending on the distribution)
  • boost-devel
Here is how to proceed on CentOS.

autoconf 2.61

CentOS provides autoconf 2.59, so a new version must be compiled from source:

wget http://ftp.gnu.org/gnu/autoconf/autoconf-2.65.tar.gz
tar xf autoconf-2.65.tar.gz
cd autoconf-2.65
sudo make install
autoconf -V

If autoconf -V still shows the old version, modify your PATH:

export PATH=/usr/local/bin:$PATH


The version of libpcap-devel in CentOS is too old. A new one must be installed from source:

sudo yum install flex
sudo yum install byacc
wget http://www.tcpdump.org/release/libpcap-1.1.1.tar.gz
tar -zxvf libpcap-1.1.1.tar.gz
cd libpcap-1.1.1/
sudo make install


sudo yum install boost-devel

Back-end from Firesheep

Then, you need to compile the Firesheep-backend. Get the source code for Firesheep for Linux:

sudo yum install git
sudo yum install xulrunner-devel
git clone git://github.com/mickflemm/firesheep.git
cd firesheep
git submodule update --init
./autogen.sh --with-xulrunner-sdk=/usr/lib/xulrunner-sdk-1.9.2/

Note than xurlrunner could install in a different folder on your Linux box, for example in /usr/lib/xulrunner-devel-

Check if the back-end works correctly. The directory might be slightly different

cd xpi/platform/Linux_x86-gcc3/
sudo ./firesheep-backend --fix-permissions
./firesheep-backend --list-interfaces

The last command might generate an error. However, this may not be an issue. To check if the packet capture works, try this (you may want to change eth0 to wlan0):

./firesheep-backend eth0 "tcp port 80"

In a different console, try this:

wget http://www.zscaler.com/

You should now this this in the first console:

./firesheep-backend eth0 "tcp port 80"
"userAgent":"Wget/1.11.4 Red Hat modified"}

Congratulations, you'll be able to run BlackSheep on your box.

Next, you need to include the new back-end in the BlackSheep plugin (1.3 or higher):

cd ~
wget http://www.zscaler.com/research/plugins/firefox/\
mkdir blacksheep
unzip blacksheep-latest.xpi -d blacksheep/
cd blacksheep
cp -r ../firesheep/xpi/platform/* platform/

Edit the file install.rdf Remove the following lines:


or add your new platform:


You may also want to disable the updates to keep your custom, stable version. Remove this line, or modify the URL:


You can now create the XPI file:

zip blacksheep-latest-linux.xpi -r *

Now, install BlackSheep. Restart your browser and open blacksheep/blacksheep-latest-linux.xpi.

There is one last step: the permissions must be fixed on firesheep-backend.

cd .mozilla/firefox/ygqde9s7.default/extensions/\
sudo ./firesheep-backend --fix-permissions

The new version of BlackSheep contains Linux versions built on CentOS5 x86 and x86_64. If this does not work in your environment, follow the procedure above.

Install BlackSheep add-on for Firefox 3.x

-- Julien


Anonymous said...

The backend compiles for me and dumps traffic as described, but it segfaults immediately when it sees IPv6 traffic.
Is this a known limitation at the moment?

Great work anyway :)

Julien Sobrier said...

firesheep-backend, as it names suggest, comes straight from Firesheep. Could you open a bug with them: https://github.com/codebutler/firesheep/issues

Julien Sobrier said...

About Ipv6 crash - In the mean time, you can exclude all Ipv^ traffic. Go to about:config, look for extensions.firesheepdetection.capture_filter and set it to " ip and tcp port 80". I;ll change the default value in the next release.

Anonymous said...

Is this intended to be used on mon0, or the network you're actually connected to?

Anonymous said...

Also: I don't get an "ok" button when I view the addon preferences. Is there a way to tell if it's actually working?

Julien Sobrier said...

about mon0 - Choose whatever network interfaces is on: eth0 if is a wired connection, wlan0 for wireless, etc. mon0 is usually a virtual interfaces set up to monitor several physical interfaces. ifconfig will tell you which interface you should use.

Julien Sobrier said...

"ok" button - Indeed, no OK button. if you want to see how BlackSheep is working, you can check the error console. if you want to double check which interface is selected,enter about:config in the address bar and look for extensions.firesheepdetection.capture_interface

Anonymous said...

Why does it need root permissions to run?

Julien Sobrier said...

firesheep-backend listens to network interfaces, which requires root access. Once you runce firesheep-backed --fix-permissions, you do not need root access anymore

Anonymous said...

Hi !
Does CentOS the same architecute as Ubuntu ? I mean, does the lastest work with ubuntu ? Is the compilation essential for Ubuntu ?

(I suspect the author compile it on CentOS just to avoid Ubuntu users =D
I'm kidding !)

Julien Sobrier said...

About Ubuntu. You can try version 1.5. If it works on Ubuntu (i.e. firesheep-backend executes fine), then you're good. But if you have different library versions, a different gcc, etc. you will have to compile your own version.

Raul said...

I was able to compile it in ubuntu 10.10 64 bits. I install it perfectly. I run it and I get the Javascript Error "cc is not defined". I edit manually in about:config the interface and I now get the json_parse error :D

I tried the command line with the firesheep-backend and I'm able to capture via the command line, but on the list of interfaces I got an error, that I think that make unusable the xpi.

Julien Sobrier said...

@Raul DO you have version 1.5? In this version, I show a list of common interfaces (eth0, wlan0, mon0) on Linux in case I cannot get the list of interfaces from Firesheep-Backend. This is the case on my CentOS, but the plugin still works fine for me.

ywarnier said...

Hi, on Ubuntu 10.10 64bit I get to the make command and I receive the following errors. Is it due to one specific missing library (maybe some sub-part of xulrunner?):

$ make
Making all in mozpopen
make[1]: se ingresa al directorio «/tmp/firesheep/mozpopen»
mkdir -p ../xpi/platform/Linux_x86_64-gcc3/components
g++ -shared -fno-rtti -fPIC MozPopenModule.cpp unix/MozPopenProcess.cpp -g -O2 -I ../mozpopen -I ../mozpopen/unix -mtune=generic -m64 -fshort-wchar -I/usr/include/xulrunner-2.0b9pre -L/usr/lib/xulrunner-devel-2.0b9pre/lib -lxpcomglue_s -lxul -lxpcom -lmozalloc -lplds4 -lplc4 -lnspr4 -lpthread -ldl -o ../xpi/platform/Linux_x86_64-gcc3/components/MozPopen.so
MozPopenModule.cpp:24: fatal error: nsIGenericFactory.h: No existe el fichero o el directorio
compilation terminated.
In file included from /usr/include/xulrunner-2.0b9pre/nscore.h:50,
from /usr/include/xulrunner-2.0b9pre/nsXPCOMStrings.h:42,
from /usr/include/xulrunner-2.0b9pre/nsStringAPI.h:53,
from unix/MozPopenProcess.cpp:24:
/usr/include/xulrunner-2.0b9pre/mozilla/mozalloc.h:109: error: expected initializer before ‘NS_ATTR_MALLOC’
[...and a series of other NS_ATTR_MALLOC errors follow...]

Just in case it would be obvious for you.

Ryan said...

Hi, I successfully installed firesheep and blacksheep in my Fedora 14. My network interfaces are 'eth0' and 'lo'.

In my own understanding, this two plugins should not be both enabled in one firefox profile, right?

So, how can I test these two if it's actually working?

Julien Sobrier said...


lo is your loopback interface, you will not see anything interesting there.

eth0 is likely your ethernet (wired) interface. You will see your own traffic only, unless you;re plugged to a hub, so BlackSheep will not be able to see the traffic for someone using Firesheep on your wired network. However, if eth0 is indeed your wireless interface, choose this one.