The Windows 2000 Telnet client can be launched via email or browser and automatically passes NTLM authentication credentials to a telnet server. Proof of concept exploit includes a modified telnet server which causes the w2k telnet client to auto authenticate and prehash-ntlm.c which can be used to launch a dictionary attack against a retrieved hash.
82b52ace068cc6c157c2910a941a5a36a69ebeed844d0b304468d6b56322c0ae