Never actually played with ettercap and sslstrip until tonight. Grabbed everything in Wireshark and looked through it for IOCs after I was finished. ARP poisoning really sticks out if you know what to look for (because we all look, right? Yeaaahhhh). It also made the victim machine have some odd, slightly buggy network comms (especially web browsing). This may have been because all this was over wireless through VMware on a somewhat underpowered laptop. . . Either way, it worked and my notes have been updated with the technique and how to detect it.

I also went through a printed copy of the 100-page GSE document on google groups. Some information needed to be updated, including some variations of what a given command does. Overall it’s a great document that you should check out; however, don’t just print it out without going through the commands to understand what’s going on.