Although often considered an exploitation framework, Metasploit also has a large number of auxiliary modules that can be useful in scanning and information gathering. There is one auxiliary module in particular that can be used to perform layer 2 discovery.

1. To start the Metasploit framework, use the msfconsole command. Then, the use command in conjunction with the desired module can be used to configure the scan:

2. Once the module has been selected, you can view the configurable options using the show options command:

3. These are configuration options that specify information about the targets to be scanned, the scanning system, and scan settings. Most of the information for this particular scan can be collected by examining the interface configurations of the scanning system. Conveniently, system shell commands can be passed while in the Metasploit Framework Console.
4. In the following example, a system call is made to execute ifconfig without ever leaving the Metasploit Framework Console interface:

5. The interface to be used for this scan is the eth1 interface. As layer 2 scans are only effective for identifying live hosts on the local subnet, we should look to the scanning system IP and subnet mask to determine the range to scan. In this case, the IP address and subnet mask indicate that we should scan the 172.16.69.0/24 range. Additionally, the source IP address and MAC address of the scanning system can be identified in these configurations. To define the configurations in Metasploit, use the set command, followed by the variable to be defined and then the value that you want to assign it:

6. Once the scan configurations have been set, the settings can be reviewed again by using the show options command. This should now display all the values that were previously set:

7. Upon verifying that all the settings are configured correctly, the scan can then be launched using the run command. This particular module will then print out any live hosts discovered with ARP. It will also indicate the network interface card (NIC) vendor, as defined by the first 3 bytes in the MAC address of the discovered hosts: