VNCcrack is a fast offline password cracker for the VNC challenge/response protocol. If one can somehow observe a VNC authentication, then VNCcrack can run a dictionary attack against the exchange and attempt to find the password.
It works by scanning a pcap file (as generated by the common tcpdump tool) for VNC challenge/response exchanges, then checks against a preexisting wordlist (reading from stdin is also supported, allowing the use of John the Ripper, see the documentation in the tarball for further information). It is quite fast and can check well over a million passwords a second on a 2.4 GHz Core2 processor.
It has been tested to successfully recover the password of an exchange between a Gentoo Linux/amd64 client and a Windows XP/x86 server, both running TightVNC 1.3.9.
VNCcrack 2.1 (2008-11-07): tarball