What tool you can recommend to sniff and discover an IP range in the network (open or protected) when DHCP is disabled? To then manually setup the interface.
A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.
If DHCP were disabled I guess I'd try a social engineering type attack like trying some kind of email trojan or draw a network user to a malicious web page and try to discover the info needed to get a static address. I'd be interested in anyones advice on this.
Open up Wireshark and just listen to the traffic, you'll see addresses such as 192.168.1.15 or whatever. Then just set your own IP address in that range. Add the default gateway. Here's a guide on how to set that stuff:
Linux Internet Connection - Virjacode
To get a list of all IP addresses detected on a network, along with a list of the MAC addresses they're assigned to, you can use a program called Internet Prober in Passive Mode:
Internet Prober - Virjacode
Ask questions on the open forums, that way everybody benefits from the solution, and everybody can be corrected when they make mistakes. Don't send me private messages asking questions that should be asked on the open forums, I won't respond. I decline all "Friend Requests".
You could also try using nmap assuming there are clients connected to the network.
Class C example:
If anything, this will at least tell you what IP the gateway is at and you can generally guesstimate from there since it's right next to the network or broadcast address the majority of the time.Code:nmap -sP 192.168.0.0/24
As far I know the best tool to discover ip range / subnets (expecially in wired networks or in wifi networks without traffic) is netdiscover ( 1st result on google ).
Nmap is ok but if you send arp requests (automatically used with -sP in ethernet networks) with a source IP address that is not part of the subnet, target systems discard them. So you should anytime change your IP address and launch nmap again for the new subnet... and this will take too long for a class like 10.*.*.*.
Netdiscover automatically send arp requests with a IP source address belonging to the target subnet you are scanning for systems, so you have only to sit down and wait.
Do you mean without getting caught? Then as Virchanza said, Wireshark in passive mode mind you. If you want flat out loud and speedy, I like nbtscan nbtscan - NETBIOS nameserver scanner which allows you to specify a prefix. To each his own.
Oh my bag, this is in wireless.
<EeePc 1000HA BT4/W7 USB boot Alfa500 GPS BlueTooth>