Let me just say that I’m subject to use Backtrack in any phase. Phase 1 Passive Reconnaissance
Google (1st stop for passive recon), facebook, myspace, linkedin etc. (Find info on individuals) Netcraft (find passive info about web servers. Whois Geo Spider Google Earth HTTrack Webripper Wireshark (I use in almost every phase. I wanna see if their website is sending me any tracking goodies while I’m reconning it.) Paros (Same as above, plus I use it to study authentication methods, and other stuff on their sites)
Phase 2 Scanning
Nmap Firewalk Hping Modem Scan THC Scan Tone Loc p0f Solarwinds TCPTraceroute
Phase 3 Vulnerability Research
(I pretty much go manual here, but there’s always Nessus, ISS and others). I usually try and build something that looks as close as possible to my target, and practice exploiting them. I count this as part of my vulnerability research. Places I check are Secunia, Seclist, Milw0rm, Eeye, Metasploit.com, Securiteam, and a few others. Vendor websites.
Phase 4 Penetration/Hacking Breaking in
Manual exploit code Metasploit Core Impact (Large scale (5000 or more nodes to penetrate).
Password Cracking
Kerb Crack Pwdump Cain & Able John the Ripper Rainbow Crack Hydra
Trojans & Rootkit
I usually make my own. But some good POC ones are Poison Ivy, Nuclear RAT, Netbus.
Phase 5 Going Deeper
Dsniff Tcpdump Arpspoof Putty Recub Scapy (to trick devices and anything else which accepts or send packets) WebScarab (studying HTTPS and other secure authentication processes) IDA Pro (reversing any custom apps I find being used internally). Olly Debug (same as above). Yersinia (VLAN hopping, and other low stack level attacks)
Phase 6 Covering Tracks
RM, delete, erase, etc (obviously). Clearlogs Wipe utility ADS Winzapper (not a big fan, but when I have to…..)