as i said, find out what kind of website system it uses. that's the first thing.
Acunetix is quite ok scannner.
NetTools (made by Ahmadi) is quite good for some simple things, but you would first have to find something to exploit.
WebScarab can be used to exploit other things in website, but getting password hashes is not that simple nowdays.
Weakest link in computers is always the human factor, so i suggest you try exploit the human stupidity.
try sending a keylogger, use a cookie stealer ..etc
stolen cookie can give you access to admin / moderator rights and you can make quite of a chaos, you can't go to admin panel because it will ask for password, but you can still delete, rename, move ..etc
I have working cookie stealer here:
http://sethioz.com/forum/viewtopic.php?f=47&t=986
Follow the topic, it's all explained how to use it. if you have issues with that cookie stealer, do not post in this topic, post in cookie stealer topic.
There's also XXS (cross site scripting) and SQL injection that might work, those are most common, but again those hosting companies that offer a pre-configured sites are usually not so easy to hack. once someone exploits one of the site, most likely it gets reported and they will fix it.
For example on my website, i see every request made. if someone finds exploit in my site, i would see each detail what was done so i would know exactly how to patch it.