So when you say you're using tools like dig or nslookup, are you just not coming up with any info on them from the dns server(s) you're enum or nothing comes up that can pinpoint a particular service that the IP address maybe tied to (ex.. mx record= good chance for smtp to be running)? Depending on the 'nature' of the TOE, you could hit search engines hard, and see if anything has leaked online. Long shot but you never know...  Guess I'm assuming you're trying to get information on the IP's without sending any kind of packets to the ports..? Is this coming from an outside (BH) or inside (WH) approach? Interesting question... Can you give more insight?

If your IP range that you are checking is public, then some search tools should give you some insight.  DNSStuff and MXToolbox might help out a bit.  Definitely Whois as well.  Aside from that, well you can always plug them into a browser and see if 80/443 are open.  If you are testing them for possible malicious activity, you may want to toss them in a sandboxed browser or visit using TOR to keep yourself a bit more anonymous.

Aside from that, you can run NMAP with no ping and scan for common TCP/UDP ports.  Sometimes just testing against the common ports, depending on where the IPs are located, can give you some decent info before firing up NMAP.

What do you mean by "non-routeable?"

Whois would be the first step I would use. You should at least be able to get some rudimentary information about the IPs.

I'm curious where you got these IPs if you don't know what domain they belong to. Generally, if you have permission to scan/attack an address, you know who gave you that permission...

Ahhhh....it make more sense now.

Aside from an nmap scan, I'd fire up Wireshark/Tcpdump and see if you get any broadcast messages such as ARP, NetBIOS, etc. You might be able to get some information such as OS and/or hostname from this. A lot of times, the hostname may give you a clue as to the system's purpose (ie. open ports that are likely on the system).

Another tool you may want to look into os 'p0f.'

Wireshark would certainly be the place where I'd start. If you are tapping into the LAN they are on already you should be able to ascertain everything you need with a few wireshark traces. Careful for the amount of data though, this will be a good time to learn the filtering options of Wireshark