Ok, its a good article, but you make a couple of comments that are a little misleading (I`ll answer my own question). In order to Hijack a remote session you are going to need to insert yourself into the data stream and then hijack it (using something like Hunty). hHwever to do this on a communication travelling across the net means you need to be somewhere along the route, and the only place you are guaranteed of actually knowing is the target comapnies external router.

So, now you need to attack the router and sniff traffic passing through it, then insert yourself into the session. So that makes things a little tricky,

Also, SecureID (or any other authentication system used for Admin or other access) will usually make use of a VPN, so now you have an ecnrypted data stream which you cannot simply hijack.

Most companies do not allow Telnet in through their external routers (or at least any company that knows what its doing doesn`t, and even most that don`t will block it)

Furthermore most organisation using a DMZ will place all there external machines in that network (or thats the hope anyway) and the firewall controlling traffic between the DMZ and the internal network will usually only allow traffic from the Internal to the DMZ, not vice versa. Except perhaps in the case of email, where often a mail relay will be used, these can often be tricky to attack as well.

Also a DMZ segment will nearly always be protected by a firewall as well, in the simplest configuration a firewall will have 3 NICs, one to the outside, one to the DMZ, and one to the Internal, so all traffic passes through the firewall.

Didn`t mean to beat up on your post, just that I see so many documents on attacking that assume things that really aren`t the case. of course if I am wrong please let me know as I would like to know.