Many of the attacks we've seen above attempt to hijack the sessions, trick users into establishing sessions on their behalf, or otherwise exploit the application's inability to enforce rules around them. Eventually, we're going to find a case where we need to address the elephant in the room and just guess the password. There is a plethora of tools that can attempt this very fundamental task, but, in general, they approach it the same way--iterating via wordlists generated either through full brute-force engines (using crunch, for instance), refined wordlists and syllable engines (John the Ripper, THC-Hydra, and so on), and even by using prehashed solutions (using rainbow tables and similar ones).
For Web applications, ...