A colleague and I both presumed this was a clear "no" but, admittedly, our networking knowledge is limited.
Is it even possible that, without prior knowledge of the network configuration (i.e., no DHCP or static IP configuration handy), you could figure out the network's gateway? If it is indeed possible, how?
Firstly, I would hazard a guess that 90% of the time it's the first IP address in your subnet (so, 10.10.5.0/24, it would be 10.10.5.1) - although my network has one on .17 and one on .23 (and nothing at all on .1); so make of that what you will.
If it's a wifi network, you could listen in promiscious mode and look at what the most common destination for external traffic is, and if others are using the gateway, you can deduce it from there (by greatly reducing the number of IPs to check with).
If it's a fully switched network, things become a lot harder, but what I have done in the past is watch ARP requests and systematically go through the most heavily advertising ARP devices.
But this is all a long way of saying no, there is no way to tell with 100% certainty what IP address the network gateway resides on, or if the network even has a gateway.
Practical example: I once inherited a watchguard firewall, and I had its passphrases, but no idea what network it was listening on, which is much like your theoretical predicament. What I ended up doing was fireing up Wireshark and started capturing ARP traffic. After a while, the MAC address of the watchguard box started showing up in global broadcast traffic, doing gratuitious ARPs, looking for an IP address of some unknown, pre-configured device. From there it was pretty simple to set myself on the right subnet and find its IP address.
Al West brings up an interesting point - on IPv6 gateways are fairly easy to find if they use autoconfiguration - each router advertises itself (through an RA), you can just listen for them. If it's a DHCP network, or a network with no autoconfiguration OR DHCP the same rules apply as above
I think I have to disagree with @Mark Henderson here. Except in what I consider edge cases:
Outside of that, it is possible. But it is not trivial and it may take a significant amount of time. I've built scripts that do this to test routing investigation in undocumented networks. You have to solve a few problems first:
To solve the first part you can tcpdump the interface and it will show some traffic, hopefully some broadcast or arp traffic. It is usually best to try and DHCP, but if that doesn't work you can just listen for an hour and then pick an IP address that is in the range you see. Also, if you see arp requests frequently on this network, it is probably the router making them. That means you should test the source of these first as a gateway before testing other available hosts.
To solve the second part, after you get an IP address assigned run nmap or strobe and figure out what other devices are on the network.
To solve the last piece setup a static route using the route command to either the default (0.0.0.0) or some specific IP and see if you can ping your external test host. This can be a simple ICMP test, or I would suggest an HTTP request that has a CGI that returns what your source IP is so you can tell what you got NATed to.
As both Mark and poly stated in their answers it probably could be done but it's not trivial and it would rely on a certain amount of lucky guesses and the making of assumptions.
As a hypothetical example: You could plug a laptop into the network and run a packet capture program. At the very least you're going to pick up some broadcast traffic (ARP, NetBIOS, etc.). That will allow you to determine the ip addresses in use on the network (but it won't tell you what subnet mask is in use). You could then pick a random ip address in the range in use on the network (you'll have to make an educated guess as to the subnet mask and you'll have to hope that the address isn't already in use). You can then run an ARP scan on the network with an ARP scanning program and hope that the program can accurately identify the devices that respond to the ARP scan and if it does you can guess from the device identification which device might be a router, you could also deduce this yourself by looking at the first 3 octets of the MAC addresses, which identify the manufacturer, and look them up in this OUI list to find the device that's likely to be the DG. For instance any Cisco devices discovered are going to be switches or routers in 99% of cases. From there it's a matter of guessing and making assumptions about the ip addresses returned in the ARP scan as to which one id the DG.
As you can see, this method (I"m sure there are other ways to go about this as well) is hardly scientific and hardly guaranteed to produce surefire results.
Since an (IP) gateway is configured on every connected node, and not part of the actual network configuration, it is impossible for the network itself to tell you what "the gateway" is - there is no such beast.
However, with some promiscuous ARP sniffing you could figure out which node all other nodes are using as their gateway, and presume that this will work for you as well.
