MAC spoof concept

In the wired scenario that we have got. My conclusion is this :

1- That means for a frame destined to host A to be visible to host B (attacker), host B must spoof mac address for host A [change mac address within layer 2 traffic (frame)].

2- Visibility without promiscuous mode, traffic (from C to A) on port 2 would be discarded by host B (attacker), since it does not contain mac address for host B.

3- Visibility is not enough to commit the attack, we must configure the NIC for the attacher's host (not for switch ) to be in promiscuous mode to accept a traffic even if it does not have attacker's mac address

They do that if you configure your NIC in promiscuous mode. Promiscuous mode tells to the NIC to forward every frames it see to the CPU even if the destination MAC address isn't matching its own MAC.

Doesn't Promiscuous mode only allow the Nic to receive traffic and not transmit traffic ? Thought it just put it in a type of Listen Mode ?

In the wired scenario that we have got. My conclusion is this :

1- That means for a frame destined to host A to be visible to host B (attacker), host B must spoof mac address for host A [change mac address within layer 2 traffic (frame)].

2- Visibility without promiscuous mode, traffic (from C to A) on port 2 would be discarded by host B (attacker), since it does not contain mac address for host B.

3- Visibility is not enough to commit the attack, we must configure the NIC for the attacher's host (not for switch ) to be in promiscuous mode to accept a traffic even if it does not have attacker's mac address

It will depend on the type of attach though. Don't forget DoS attacks are still attacks and for this you could just simply confuse the switch into thinking the MAC address is somewhere else, therefore stopping legitimate traffic reaching the host. This type of attack wouldn't require return traffic.

Also, for example, if you look at the Ping of Death attack, again (although not really a MAC thing) it didn't rely on return traffic, just sent a packet too big which crashed the TCP/IP stack and caused a Blue Screen/Reboot. There are others aswell.

Doesn't Promiscuous mode only allow the Nic to receive traffic and not transmit traffic ? Thought it just put it in a type of Listen Mode ?

Nope! You can still use your NIC even if it is in promiscuous mode...

As promiscuous mode can be used in a malicious way to sniff on a network, one might be interested in detecting network devices that are in promiscuous mode. There are basically two methods to do this:

1. If a network device is in promiscuous mode, the kernel will receive all network traffic, i. e. the CPU load will increase. Then the latency of network responses will also increase, which can be detected. Of course, this method is very unreliable as the CPU load could just be higher for another reason.
2. In promiscuous mode, some software might send responses to packets even though they were addressed to another machine. If you see such responses, you can be sure that the originating device is in promiscuous mode. However, experienced sniffers can prevent this (e. g. using carefully designed firewall settings). An example is sending a ping (ICMP echo request) with the wrong MAC address but the right IP address. If your firewall blocks all ICMP traffic, this will be prevented.

For more info, you should read the entire article here.