I ask just in case of curiosity and this is just an imaginary network
Imagine an internal LAN network without any DHCP server implemented; So to access the network we should use static IP(s);
But my question is what if I don't know what are the ranges of valid IPs in this LAN network(we don't even know the IP class that is used in this network), is it possible to detect valid IP ranges or DNS server IP?
Sure. You check the network gear. They will have the subnets defined on them, from which you can extrapolate valid IP ranges, and they should also contain arp tables you could check to find existing devices on the network and match them with IPs.
That, of course, assumes a functional network, and devices that are actually sending and receiving network traffic.
Without access to the network gear, the best you'd probably be able to do is ping scans, and you'd have to hope that ICMP traffic isn't blocked by any of the network equipment and that the devices on the network are configured to actually respond to pings.
Well, if you have access to the machines, log in and look at the network settings. Write down:
Item 3 & 4 are probably the same on all hosts. Item 1 & 2 should yield the used subnets.
Once you have these, get nmap (optionally with a nice graphical frontend and scan the network to find all used IPs and OSses.
[Edit] This will not quite work on huge networks, but if you have a network with multiple subnets, different gateways etc then I also expect there is documentation somewhere. Either at IT, or the IT folders, or the a safe in a 'disaster recovery document.
Also, in the situation where you don't have access to documentation or network equipment (or if a hostile person was trying to figure out your network), running a scan with a tool such as Wireshark will allow you to capture network traffic, including ARP requests (which will include IPs).
A good capture would give you enough info to determine the probable gateway, IP scheme, and DNS servers easily.
