You might be in some new town or some new school and there is no DHCP, or the DHCP is not responding. But you can physically connect to the network. That happens to me alot. I am now posting for a successful breaking an entry to a free WiFi here in Addis Abeba.
If for some reason you could not get an IP form the network, your computer will fail to connect to the network. For many cases, the network admins leave the IP range to the default values. You know '192.168.1.*'. and as you can guess the subnet mask to '255.255.255.0', and the default getway to the first valid address of the range, i.e '192.168.1.1'.
But some don't leave it that way. Specially if there is some more complicated networking done. So, how in the world do we find the range of IP addresses to guess from. Well if you get some IP addresses in use in the network, then the rest is making your IP address to something that is not used in the network.
Lets begin with finding the IP in use in the network. First we have to connect to the network. To do this we have to assign some random IP. Set a static IP address like the above one to your network interface.
Then Scan for active IP addresses in use in the network you are connected to. To achieve this, we need an ARP scanner in place. What we want to do is scan for packets that are being thrown around in the network. It captures packets and registers their IP and MAC addresses.
Thre are many ARP Scanners to choose from. For my linux enthusiast friends, netdiscover is good one. If you are using Backtrak or Kali linux, I hear it is already packaged with your penetration distro. For other linux users, go over
After installing your ARP scanner, somehow set it to passively listen to packets. To do this with netdiscover, run
sudo netdiscover -i wlan0 -p
This will start instruct netdiscover to listen for packages without sending any requests. The result is any IP address currently communicating in the local network. It might take a while if there is no active device. My result looks like this one
Currently scanning: (passive) | Screen View: Unique Hosts
21 Captured ARP Req/Rep packets, from 9 hosts. Total size: 1260
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor
-----------------------------------------------------------------------------
0.0.0.0 f0:24:75:ad:c0:9e 03 180 Unknown vendor
169.254.132.101 f0:24:75:ad:c0:9e 03 180 Unknown vendor
10.11.3.54 14:58:d0:39:0d:02 05 300 Unknown vendor
0.0.0.0 28:cf:da:57:94:f9 03 180 Unknown vendor
169.254.34.169 28:cf:da:57:94:f9 02 120 Unknown vendor
10.11.6.42 b8:5a:73:62:b1:ec 02 120 Unknown vendor
10.11.6.17 84:db:ac:ad:99:70 01 060 Unknown vendor
10.11.6.26 b8:ca:3a:96:8f:82 01 060 Unknown vendor
10.15.4.10 64:51:06:26:1f:e6 01 060 Unknown vendor
From this result I could see a list of valid IP addresses. You can see that most of the IP addresses are from '10.*.*.*' range. So you can start guessing from here.