One of the best known exploits is to use "router redirection". ARP queries contain the correct IP-to-MAC mapping for the sender. In order to reduce ARP traffic, and traffic in general on the network, computers cache the information that they read from the query broadcasts. A malicious attacker could redirect nearby machines to forward traffic through it by sending out regular ARP packets containing the router's IP address mapped to its own MAC address. All the machines on the local wire will believe the hacker is the router, and therefore pass their traffic through him/her. Simple, but effective. A more aggressive, but equally effective strategy, would be to DoS a target victim and force it off the network, then begin using its IP address. If you picked your victim carefully the rewards could be high!!
Defending against the rouge sniffer is never easy. As previously mentioned, a switched network will keep the casual sniffer at bay, but the more determined will overcome that obstacle. The most robust method of protection is to enforce the used of encrypted protocols. Replace Telnet with SSH, introduce SSL where possible, use only encrypted email like PGP or S/MIME. Use two-factor or biometric authentication. Unfortunately, due to the nature of Ethernet, sniffing and sniffers will be here for some time to come.
There are a large number of sniffing tools available, many for free. The highly regarded and very free packet capture tool Ethereal is a great place to start, but there are many more. A recent and comprehensive list can be found here.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.