Attackers can gain useful information in gathering network traffic, especially to and from a target system. Without control of network devices along the path, they can't access this traffic on a modern switched network. To gain access, the attacker will need to find ways to insert themselves on this path by either getting systems involved to send traffic to the attacker or by compromising network systems in the path.

ARP Spoofing

The Address Resolution Protocol (ARP) is used to map IP addresses to physical machine addresses (MAC, or Media Access Control, addresses).

ARP Spoofing occurs when an attacker responds to ARP queries on a local network, this inputs the wrong MAC address to IP address in the ARP table. This is stored on the systems ARP cache, which allows the attacker to intercept or capture and forward traffic.

Replay

A replay attack is a form of man-in-the-middle attack that captures and then resends the data. Common techniques include masquerading a logon page to harvest credentials.

One of the most common replay attacks is an NTLM pass-the-hash attack. When the attacker acquired NTLM hashes they can identify with systems that do not require SMB signing.

Relay

A relay attack is a form of man-in-the-middle attack that passes the information without modifying any traffic. Relay attacks are not limited to network traffic either, RFID cards can be queried and the response relayed to provide authentication.

SSL Stripping

Network traffic is increasingly becoming encrypted and is carried via HTTPS. SSL Striping is downgrading the HTTPS connection to HTTP so the communication is no longer encrypted, allowing an attacker to see the information passed.

Downgrade

SSL downgrade attacks work by intercepting TLS handshakes and dropping packets, thus modifying them to request weaker encryption methods. Since TLS (like SSL) allows clients to request the ciphers that they can use, this may allow an attacker to more easily read client traffic.