Man in the middle: get packets that are destined for other ethernet card

[here we go <herewegoss () gmail com>]

Hello.
Currently I'm learning packet capturing/modification/
crafting in my
home network and I've got a little problem with active man in the
middle attack with data modification. I will explain everything in
steps and by giving an real-life examples because I want to avoid
misunderstandings.

In my home network there are 3 hosts with 3 ethernet cards (working
with switch):
host A - 192.168.1.1
host B - 192.168.1.2
host C - 192.168.1.3

Host A wants to communicate with C, but host B want to intercept
traffic and modify packets. Scheme:

1. Host B activates kernel's ip_forwarding.
2. Host B ARP poisons host A, so that A thinks that B is C.
3. Host B ARP poisons host C, so that C thinks that B is A (afer doing
that host B is in the middle of the communication between A and C, the
unencrypted packets can be seen by using sniffer).
4. Host B doesn't want only to sniff data, he wants to DROP packets or
modify them and then send to the original destination host, so he uses
iptables with appropriate options to send specific packets to the
QUEUE (NFQUEUE mechanisms to be more precise). He fires up the program
that he has written to modify/drop/accept packets waiting in the
NFQUEUE.

And here is the problem, because it all works but only when packets
are destined directly for host B. Example:
1) Packet A->B - works fine, goes to NFQUEUE and can be modified by
the program.
2) Packet C->B - as above.
3) Packet A->C (to be specific A->B->C, because we have to remember
that B is the middleman) - iptables does not work, packet doesn't go
to the NFQUEUE, because it is destined for host C.
4) Packet C->A (C->B->A) - as above.

What am I trying to do?
For i.e.:
1. A sends packet to C
2. B captures the packet which goes to the NFQUEUE.
3. Running program makes all modifications and then packet from
NFQUEUE is transmitted to host C (note that the packet data is
modified and then packet leaves the queue and goes to C, B is not
sending the packet!).
4. Host C gets the packet with modified data and thinks that it's the
data that A send him.

How can I achieve that? Is there a way to force B to receive all
packets? How can B activly take part in transmission and decide which
packet from A send to C and which not? I would appreciate ideas and
clues what to use to achieve that.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------