There are so many times where it's useful to take a peek at a DHCP enabled network, without actually having to apply any of the connection settings offered. You don't need an active ip address for this to work as DHCP uses broadcasts.
$ sudo nmap --script broadcast-dhcp-discover --spoof-mac -n -e eth1
Starting Nmap 6.47 ( http://nmap.org ) at 2018-02-10 08:17 UTC
Spoofing MAC address 00:01:BA:48:7C:24 (IC-Net)
Pre-scan script results:
| broadcast-dhcp-discover:
| IP Offered: 192.168.1.100
| DHCP Message Type: DHCPOFFER
| IP Address Lease Time: 1 day, 0:00:00
| Server Identifier: 192.168.1.1
| Subnet Mask: 255.255.255.0
| Router: 192.168.1.1
|_ Domain Name Server: 192.168.1.1, 192.168.1.1
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 1.31 seconds