bamed is a combination of my initials and the first three letters of my last name.
Initials=BAM
1st 3 letters of last name=Med

I like it cause I can use it as a verb.  You've been bamed!

The dd command is not what you need in this instance.  dd is used for making exact images of drives or partitions.  The if= switch takes a FILE as its argument.  This is typically the file Linux associates with a partition or drive, such as /dev/hda1.  It sounds like you're trying to copy data over a network.  If you just want to copy data, why not use cp?  If you need to keep files synchronized over a network share, lookup rsync. 

If you are trying to make an image of a drive to use for forensic purposes, your current setup simply won't work for this purpose.  Simply by mounting a drive you could make change to it which makes your image invalid.  If the drive is in Windows, then shared, then mounted in Linux, then copied... this isn't how you do forensics, so I'm going to assume that's not what you're trying to do.

Here's a similar questions: I've already got OSCP, should I worry about CEH?

I REALLY want to go to DEFCON this year, but doubt I'll come up with the $$$  .  That is unless somebody is willing to carpool with me from SW MO, and willing to share a room...

You mean if I pay somebody else to support their own product, I don't have to always know everything about everything 24/7/365?

Somebody should tell my boss this.

These kinds of events are why I need to leave the MidWest where nothing EVER happens!!!

Don't forget to give them a list of services that must be running and stay running.  It's easier to kill apache than to harden it.  Depends on their level of skill, and how involved you want the scoring to be.  But keeping a list of critical services up and running should be part of the defense.

Give the password lists at http://www.renderlab.net/projects/WPA-tables/ a try.  I know this page is about WPA, but the password lists they give are still pretty good ones.

sil does have a good point.  You really don't want to mess with production servers unless you really know what you're doing.  I'm assuming from the description so far that this is a small business, so they are probably more likely to let someone fiddle with things simply because they don't know better.  However, if something does go wrong, even if it wasn't your fault, say someone else ( a real malicious user), gets into the system, steals some info, loads a virus, or whatever.  I'd say there's a pretty good chance you could take the blame whether it's your fault or not.
We're just trying to watch your back here.  It's real easy for people starting out to start fiddling with things and find themselves up a creek full of fecal matter without an adequate means of propulsion.
So, at the very least, get written permission and some kind of liability release so they can't come after you if something goes wrong.

Actually, getting a contract is not a bad idea.  I would be cautious of doing anything with verbal permission alone.  If anything does go wrong, you want your own back covered.
With that being said... any more progress?

If you're scanning externally, there's a chance you aren't directly scanning a Windows server.  It looks like you're actually scanning a firewall appliance, and certain ports are forwarded to internal servers.  So SSH could be the appliance, or an internal server.  IIS is on the Windows Server. etc.

jonas,
I mean no offense, I just don't think practicing on a live server is a great idea.
At any rate, I think you still need to do some more recon.  What SMTP server is running?  Can you connect to it and enumerate any usernames?  Some info on that process can be found at http://forums.remote-exploit.org/tutorials-guides/19158-smtp-enumeration.html.
I'd also spend some more time trying to figure out what SSH server is running.  SSH is not a normal service for a Windows Server, so finding out which server could help...

Those are the things that come to mind.  I'm sure others might have more suggestions.

First of all, I'm going to assume you're doing this with permission, otherwise you're in the wrong place.  Secondly, you said they "wouldnt be so happy if any services went down...".  Sounds like you shouldn't be playing with this server even with permission.  Setup a test server if you're just trying to learn.  You shouldn't be learning on live in-production servers.  Nothing good can come from it.
Maybe you can clone the system, or use some P2V tools to create a virtual copy of it?
Then you can be as aggressive as you want without worrying about shutting anything down, and you won't crash anything unknowingly and thus bring down the wrath of your employer.

It was fun, but totally kicked my butt too.  Never got past phase 1.  I didn't get much time besides Saturday morning and a little while Saturday evening to spend on it, though I did spend all weekend thinking about it.  Now I know I need to focus some study on exploiting web apps. 
On another note, I managed to get through the Google Code Jam qualification round, so the weekend wasn't a total loss!

There's 15 people on the scoreboard so far.  This n00b filter is pretty tough.  The IDS is pretty fierce and the 5 minute cooldown is wearing on my patience.