1. Gain access the the password tables in the database (many ways to do this).

2. Run bruteforce cracking on local version of password table.

3. Enter password into the real system

But bruteforce isnt the easiest way. Usually you just call around the company posing as IT and ask people for their password. It works a surprisingly amount of times (maybe not ask for passwords, but talking to a person for information on the security of the system works often enough).