I am looking for something that takes an IIS/ASP.NET website that uses forms authentication and repeatedly tries to log in, either with all possible passwords or with passwords from a dictionary.
I can probably write something up, but I wondered if there was anything publicly available that would be better implemented.
For online brute forcing of login systems I recommend using THC-Hydra. I always use this tool in my penetration tests. By contrast if you have a password hash or a salted password hash then you should use John The Ripper to break it offline which is much faster.
After 3 failed logins you should prompt that ip address with a captcha like reCaptcha.
If you're using the built-in ASP.NET membership provider, there's a property you can set called passwordAttemptThreshold. After a certain number of attempts the account will automatically be locked. While you can still be brute-force attacked, the chances of an account being compromised within the passwordAttemptThreshold is sufficiently low. Also, you can enforce a password policy with the membership provider as well, which really makes brute-force attacks less likely.
Granted, this doesn't answer your exact question, however you may still find it more prudent to simply prevent brute-force attacks from happening in the first place. Whatever brute-force library you find, there will always be a better one out there - and the good ones probably aren't even available as they are no doubt a closely-guarded secret of real hackers.
Instead of attacking the website from the outside, I would recommend taking the hashes and cracking them offline.
A better approach is to make a password policy on the site so you don't have to do this. Password cracking is tough, and unnecessary in most situations