Now, this is a loaded question. Practically speaking, there is a limited amount of network that can be discovered if it’s even vaguely secure, but an engineer that’s been around the block will come up with hopefully several of the following answers. Running a ping sweep against a range of addresses. Running a packet analyzer and seeing what sorts of broadcast frames come across the wire. Running a MAC flooding tool to get the switch to dump all traffic to their port through unicast flooding, and seeing what they can pick up from that. Running traceroute to Internet addresses and then scanning each hop that reports back. Seeing if the DNS server will let them do a zone transfer. Running a SNMP scanner, looking for open systems. Walking around the building and plugging into as many ports as they can find. Setting up a route daemon on their local system and see if they can form an adjacency with something on the local segment. Searching the local RIR database looking for tell-tale records.
The idea with a question like this is to answer the question yourself ahead of time on a sheet of paper, then see what the candidate comes up with that lines up. Then, as they make their suggestions, you can probe them. Oh, so you’d try to get a DNS zone transfer. And if you succeeded, how would that information help you? Ah, so you’d look for broadcast traffic with Wireshark. What sort of broadcasts would you find useful? As the candidate explains their answers, you learn about their knowledge, but you also learn how they think. Is the candidate clever? Resourceful? Independent? Determined? Logical? Or is their only answer that they’d go up to your desk and ask you for a network map (see the next question below)? What happens if you point out a critical flaw in their logic? Do they get defensive? Angry? Or do they see the error they made and move on?