Concerned about recent PAN-OS and other firewall/VPN CVEs? Take advantage of Zscaler’s special offer today

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research

BlackSheep For Linux

November 09, 2010 - 3 min read

BlackSheep uses compiled code to listen to HTTP traffic. These executables come straight from Firesheep. Firesheep ships with executables for Windows And MacOSX 10.5 (Intel) only, this is why the first release of BlackSheep supports these 2 platforms only.

The number one request I got was to support Linux. The good news is that it is now possible to run BlackSheep on Linux - though it does requires some work to setup.

Too Many Linux environments

The main challenge is that the back-end must be compiled on each possible environment: CPU (x86, x86_64), compiler (gcc 3, gcc 4), and also different versions of libpcap, etc. In the case of Firesheep and BlackSheep, it is not possible to deliver one add-on that would work on all Linux environment.

This means that each Linux user must compile their own version.


To make your own Linux version of BlackSheep, you need:

  • autoconf 2.61 or higher (autoconf -V)
  • libpcap-devel with pcap-config
  • xulrunner-sdk (or xulrunner-devel depending on the distribution)
  • boost-devel

Here is how to proceed on CentOS.

autoconf 2.61

CentOS provides autoconf 2.59, so a new version must be compiled from source:

  wget  tar xf autoconf-2.65.tar.gz  cd autoconf-2.65  ./configure  make  sudo make install  autoconf -V

If autoconf -V still shows the old version, modify your PATH:



  export PATH=/usr/local/bin:$PATH


The version of libpcap-devel in CentOS is too old. A new one must be installed from source:

  sudo yum install flex  sudo yum install byacc  wget  tar -zxvf libpcap-1.1.1.tar.gz  cd libpcap-1.1.1/  ./configure  make  sudo make install


  sudo yum install boost-devel

Back-end from Firesheep

Then, you need to compile the Firesheep-backend. Get the source code for Firesheep for Linux:

  sudo yum install git  sudo yum install xulrunner-devel  git clone git://  cd firesheep  git submodule update --init  ./ --with-xulrunner-sdk=/usr/lib/xulrunner-sdk-1.9.2/  make

Note than xurlrunner could install in a different folder on your Linux box, for example in /usr/lib/xulrunner-devel-

Check if the back-end works correctly. The directory might be slightly different

  cd xpi/platform/Linux_x86-gcc3/  sudo ./firesheep-backend --fix-permissions  ./firesheep-backend --list-interfaces

The last command might generate an error. However, this may not be an issue. To check if the packet capture works, try this (you may want to change eth0 to wlan0):

  ./firesheep-backend eth0 "tcp port 80"

In a different console, try this



You should now this this in the first console

  ./firesheep-backend eth0 "tcp port 80"  {"from":"","to":"","method":"GET",  "path":"/","query":"","host":"","cookies":"",  "userAgent":"Wget/1.11.4 Red Hat modified"}

Congratulations, you'll be able to run BlackSheep on your box.

Next, you need to include the new back-end in the BlackSheep plugin (1.3 or higher):

  cd ~  wget\      blacksheep/blacksheep-latest.xpi  mkdir blacksheep  unzip blacksheep-latest.xpi -d blacksheep/  cd blacksheep  cp -r ../firesheep/xpi/platform/* platform/

Edit the file install.rdf Remove the following lines:


or add your new platform:

  [em:targetPlatform>Linux_x86-gcc3</em:targetPlatform]  [em:targetPlatform]Linux_x86_64-gcc3[/em:targetPlatform]

You may also want to disable the updates to keep your custom, stable version. Remove this line, or modify the URL:



You can now create the XPI file:

  zip blacksheep-latest-linux.xpi -r *

Now, install BlackSheep. Restart your browser and open blacksheep/blacksheep-latest-linux.xpi.

There is one last step: the permissions must be fixed on firesheep-backend.

  cd .mozilla/firefox/ygqde9s7.default/extensions/\      jsobrier\  sudo ./firesheep-backend --fix-permissions


The new version of BlackSheep contains Linux versions built on CentOS5 x86 and x86_64. If this does not work in your environment, follow the procedure above.

-- Julien



form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.