I have recently been performing a security audit at work (sanctioned of course) and have seen some interesting behaviour from Cain and Abel. I've purposefully avoided using APR so that my co-workers won't freak out at security certificate errors and have only been using the "sniffing" functionality.
Somehow, Cain is still able to pick up a lot of SNMP, MSKerb5-PreAuth, Telnet, LDAP, HTTP, and FTP passwords. How is this possible on a switched environment without using APR? I checked the ARP tables on a couple other machines while running the sniffer and they all had the correct ARP entries for the gateway.
At first I thought for some odd reason we may have had hubs on our network but I checked into it and it's definitely all switched.
I've read a lot of information on ARP spoofing/poisoning but can't find much at all on the specifics of Cain's sniffer.
Tomorrow I plan on running around with Wireshark to see if I can trace where some of these packets are coming from as they could potentially be very damaging.