An attacker can turn to JavaScript to find out the internal IP address of the victim, and then make educated guesses about the IP of other hosts on the network.