Actually i'm working on the same Goals...
Today, i tried with ARP Poising to sniff some Hashes from the Domain Controller, without luck ;-)
(But, i didn't spend a lot of time...)
The way worket for me, was simpler. (Because you need to know the Domain Controller...)
I realized that theres a SharePoint Server and the Traffic was routet Out of the Lan (perhaps a guest Lan).
So, i simply poisgned route from my victim to the router and this way i received the hash ;-)
In the near future - i trie to catch a hash from a domain controller, if i find some time.
Let me know, the status of your project ;-)