Brian Kelley has a good post on how to use nmap to find SQL Server instances on a network.
If you can focus on a particular subnet, you can also use other techniques like sqlcmd -L,but using nmap allows for a lot more flexibility.
Bonus: Brian also rants about common sense (or the lack thereof). I would argue that people who try to explain things should, in fact, tread carefully and throw out warnings like they’re candy. In the first instance, you don’t know who your actual audience will be: yeah, the guys with 15 years of experience and outstanding processes may hit the link because they forgot the exact syntax for getting that nmap scan running, but you’ll also get accidental DBAs looking for a way to document server sprawl, networking people who talk about “the database,” app developers who know how to write select statements and thus get pushed into DBA roles, or somebody whose CIO is standing in his cube waiting for results. In all of those cases—including the guy with outstanding processes, experience, and an abundance of common sense—it’s good to give that warning because either the person does not already know the potential dangers, or perhaps is not thinking of the dangers at that time. Taking that extra minute to say “Hey, don’t run this unless you do A, B, and C first; CYA is your friend” is definitely worth it, even if it’s just as a nagging reminder. After all, even those guys with 15 years of experience and loads of common sense can make a typo or forget that this code has a side effect (or main effect) that they should prepare themselves for.