[Nmap Finding Targets]

You could do a simple ping scan:

nmap -sP 198.168.XX.X/24

[Nmap O.s Detection Problem]

You could also try: nmap -A 192.168.56.103

Sometimes it will hint what OS it is under service info. I think it queries mdns to get information unlike a regular OS scan which requires ports to be open in order for it to work. If there is no information on the service info line, it is probably Windows.

[Ssh Tunnel Connecting 2 Remotes For Vnc]

I do this exact same thing to remote into servers. I have always used local port forwarding for my vnc and remote desktop connections. So you may be able to do it with remote forwarding, but I have never tried it.

You have:

ssh -L 5900:localhost:5555 ubuntu@ec2serveraddress.com

I think the ports should be reversed and destination is not localhost but your server. So, it should look this:

ssh -L 5555:ec2serveraddress:5900 ubuntu@ec2serveraddress.com

Since we locally forward port 5555, we can access vnc using:

127.0.0.1:5555 in the vnc client

As an fyi, ubuntu@ec2serveraddress.com does not have to be on the same server, but needs to be able to access the server you are trying remote into

As an other side note, ubuntu server does not have a gui installed be default

[More Methods For Mitm Attack]

The NDP poisoning is something I did not know about and now have something to experiment with :) I am surpised there is not a lot of ways to perform this attack.

[More Methods For Mitm Attack]

I was wondering if there are more different ways to perform a man-in-the-middle attack besides arpspoofing, arp flooding, dhcp exhaustion, fake access point, dhcp server and a physical bridge?

[Brute Force Terminal Services]

I recommend what Infiltrator said. But for curiosity sake there are two tools that can do exactly what you were your describing. They are TSgrinder and TScrack. You would have better luck exploiting remote desktop then bruteforcing a password with these tools.

[Arp Poisoning Killing Targets Internet Connection]

Make sure ip forwarding is enabled

echo 1 > /proc/sys/net/ipv4/ip_forwarding

[Safest Way To Store Information]

The most critical things to encrypt is your home folder and the swap partition. Whole disk encryption with truecrypt on the Linux platform would be perfect, but it is not supported. You might be able to move /boot to a separate partition and encrypt everything else. It may work but I have not tried it. I would also make sure the computer locks out automatically.

[Packet Sniffers]

Dsniff, Urlsnarf(part of Dsniff suite), Driftnet. There is also Xplico.

[Wireless Snifing With Wireshark]

I get the same thing when I try to sniff packets with wifi. Home routers act more like a switch then a hub. Try arp spoofing and see if that works :)

[Metasploit Over The Internet]

You can run netcat behind a NAT and connect to it using metaspoit from the outside world. You can get someones ip address from email headers or IM, but that is there public ip address. Getting someones private ip address from the internet (WAN) is a bit tricky through.