arcane

You could do a simple ping scan:
nmap -sP 198.168.XX.X/24

You could also try: nmap -A 192.168.56.103

Sometimes it will hint what OS it is under service info. I think it queries mdns to get information unlike a regular OS scan which requires ports to be open in order for it to work. If there is no information on the service info line, it is probably Windows.

I do this exact same thing to remote into servers. I have always used local port forwarding for my vnc and remote desktop connections. So you may be able to do it with remote forwarding, but I have never tried it.

You have:

ssh -L 5900:localhost:5555 ubuntu@ec2serveraddress.com

I think the ports should be reversed and destination is not localhost but your server. So, it should look this:

ssh -L 5555:ec2serveraddress:5900 ubuntu@ec2serveraddress.com

Since we locally forward port 5555, we can access vnc using:

127.0.0.1:5555 in the vnc client

As an fyi, ubuntu@ec2serveraddress.com does not have to be on the same server, but needs to be able to access the server you are trying remote into

As an other side note, ubuntu server does not have a gui installed be default

The NDP poisoning is something I did not know about and now have something to experiment with I am surpised there is not a lot of ways to perform this attack.

I recommend what Infiltrator said. But for curiosity sake there are two tools that can do exactly what you were your describing. They are TSgrinder and TScrack. You would have better luck exploiting remote desktop then bruteforcing a password with these tools.