Google is your friend, there are a lot of free word lists out there.

Tip: Many testers like to feed passwords they have previously guessed/cracked/recovered into their wordlist.

Jimbob

 You would think so, but you can some times get by with it.  If you see it hanging out there, it can be worth the "roll of the dice".  Just make sure you do your initial attacks from a different IP than the one you are doing the main body of work for your pentest.  It sucks to get blocked right at the beginning because you were trying to storm the doors of the castle a little too blatantly. 

A pretty good tool for doing brute forcing is THC Hydra.  Your password list should probably be a combination of dictionary words, commonly used passwords (whether you can use ones from other engagements may or not be allowed based on your previous work arrangements), and another method to get good passwords is to mine for keywords off of the company's website.  Getting usernames can be done the same way, potentially looking through metadata to find usernames and ideas for passwords.  Check out metagoofil for metadata extraction.  There have been a few articles out there on this, most notably by Chris Gates and a post on pauldotcom.com by Larry. 

Just on a side note, there are cases where you'll want to "storm the gates" like this.  Sometimes we get asked to do pen tests as part of an audit, and we know that the corporate security team is not aware that we've been brought in.  Part of the assessment is to determine if they are monitoring the network correctly.  We'll start doing attacks on the scale of "quiet" to "loud" and try to see where they actually start to catch us.  You'd be surprised how many times you'll get all the way to brute forcing passwords before someone actually figures out what's going on.