arpspoofing

From: Erlend J. Leiknes (nookie@online.no)
Date: 02/05/02 

From: "Erlend J. Leiknes" <nookie@online.no>
To: <pen-test@securityfocus.com>
Date: Tue, 5 Feb 2002 20:00:44 +0100

Im testing a network for clear-text password leakage. (Unencrypted
protocols)
Since its a switched enviorment I have to arpspoof or macflood.
Macflooding had no success, shouldnt the switches be degraded to hubs when
their mac-tables get filled?

And when I arpspoof using the redirecting data from the gateway to the
laptop, pings wont get through, and i sent some clear text on purpose from
machines that had gotten their arp table poisoned. Still it seemed like it
didnt work too well.

The question is:

if arp -a (on windows 98) shows:
Interface: x.x.x.204 --- 0x2
  Internet Address Physical Address Type
  x.x.x.1 00-10-14-26-60-38 dynamic
  x.x.x.5 00-50-da-37-93-5b dynamic
  x.x.x.6 00-50-da-37-93-5b dynamic

who will recive the packages. 5, 6 or both?

Any other ways to sniff in a switched enviorment?

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/