I figured I'd post what kinds of things are in my 'rip it apart and see what's going on' toolkit. For Windows. The Unix/Linux stuff is Someone Elses Problem so I don't have much experience with it. Likewise, NetWare doesn't need it.
Foundstone tools:
Fport: One of several tools that performs open-port / PID identification. I've had trouble with it on Win2003, but for Win2K and under it works just peachy.
BinText: Finds human-readable strings in files. Useful for scanning weird EXE files to see what's hidden in 'em.
SQLScan: Scans for MS-SQL and MSDE instances suseptable to things like Slammer. Yes, Slammer is still around. And in our environment, we're vulnerable to the thing if we leave vulnerable instances up.
SysInternals Tools:
FileMon: Monitors filesystem activity in real time. It associates the access to a PID and program, so I've found it useful in ferreting out hidden processes, and where on a system files are being secreted. It also allows filtering so you can exclude (spammy) expected traffic and see what else is being done. Some rootkits may specifically kill this executable if they detect it running.
PsTools: A toolkit itself, it contains a variety of very useful things. Including: psservice, list and control services remotely from command-line; psinfo, dump information about local and remote machines; pslist, dump info about running processes (looks a lot like "ps" output); pskill, kills a process. A very NICE toolkit.
RegMon: Like FileMon, this monitors registry accesses. Like filemon, it can be filtered to exclude certain (spammy) expected traffic and help isolate the traffic you want to look at.
TCPView: This tracks TCP connections and associates them to PIDs. Very nice for figuring out what's running on a system that shouldn't be. As with FileMon, some rootkits know about this utility and will shut it down. It comes with a command-line version too (tcpvcon).
Autoruns: This handy thing will tell you what programs are set to auto-run on your system. Including obscure registry places, as well as services. Includes file-paths too, so incase that spyware/perp dropped things in a weird spot it'll stick out.
ProcessExplorer: Another very hand thing, this was designed to ferret out hidden processes. It uses a number of things to do this, including TCPView, FileMon, and RegMon type accesses. I haven't used it much since I just discovered it recently.
Sniffing tools:
Ethereal: In my opinion, no toolkit should be without this tool. Darnit. It's a sniffer. It's great.
WinPCap: Windows version of the PacketCapture library for Unix, needed for Ethereal to run.
Microsoft tools:
Yes, Microsoft has some nifty things to play around with when trying to rip apart a system. They're hidden most of the time, but they DO exist!
Debugging tools for Windows: I was pointed to this one on a service call for an Exchange problem, but it turned out to contain some very nice features. It has several tools that are replicated in the PsTools archive, such as a process lister (tlist) and a process killer (kill). A very complete kit I haven't had the chance to fully delve into.
Port Reporter: Fairly new, this particular tool tracks and logs all TCP connections made to the server. For XP and Win2003 machines the log contains, Port -> PID mapping, modules loaded as part of the process, and whether the process is a service or not. As you can see, this has the potential to be very useful as well.
Other tools:
nmap: The classic port-mapper. Now with new application-scanning ability! This new bit is quite nice. Say an attacker loads a ftp server on a well-known but seldom really used port like the Echo port. This new app-scan ability will tell you that the port there on tcp/7 isn't Echo it's "Serv-U FTP"! Handy.
OpenPorts: Yet another open-port <-> PID mapper. You'd think there was a problem identifying running processes on Windows or something. I've had good luck with this in the past, but Win2003 seems to make it a bit weird. Still plenty of Win2000 and WinNT around to use it on, though.
Foundstone tools:
Fport: One of several tools that performs open-port / PID identification. I've had trouble with it on Win2003, but for Win2K and under it works just peachy.
BinText: Finds human-readable strings in files. Useful for scanning weird EXE files to see what's hidden in 'em.
SQLScan: Scans for MS-SQL and MSDE instances suseptable to things like Slammer. Yes, Slammer is still around. And in our environment, we're vulnerable to the thing if we leave vulnerable instances up.
SysInternals Tools:
FileMon: Monitors filesystem activity in real time. It associates the access to a PID and program, so I've found it useful in ferreting out hidden processes, and where on a system files are being secreted. It also allows filtering so you can exclude (spammy) expected traffic and see what else is being done. Some rootkits may specifically kill this executable if they detect it running.
PsTools: A toolkit itself, it contains a variety of very useful things. Including: psservice, list and control services remotely from command-line; psinfo, dump information about local and remote machines; pslist, dump info about running processes (looks a lot like "ps" output); pskill, kills a process. A very NICE toolkit.
RegMon: Like FileMon, this monitors registry accesses. Like filemon, it can be filtered to exclude certain (spammy) expected traffic and help isolate the traffic you want to look at.
TCPView: This tracks TCP connections and associates them to PIDs. Very nice for figuring out what's running on a system that shouldn't be. As with FileMon, some rootkits know about this utility and will shut it down. It comes with a command-line version too (tcpvcon).
Autoruns: This handy thing will tell you what programs are set to auto-run on your system. Including obscure registry places, as well as services. Includes file-paths too, so incase that spyware/perp dropped things in a weird spot it'll stick out.
ProcessExplorer: Another very hand thing, this was designed to ferret out hidden processes. It uses a number of things to do this, including TCPView, FileMon, and RegMon type accesses. I haven't used it much since I just discovered it recently.
Sniffing tools:
Ethereal: In my opinion, no toolkit should be without this tool. Darnit. It's a sniffer. It's great.
WinPCap: Windows version of the PacketCapture library for Unix, needed for Ethereal to run.
Microsoft tools:
Yes, Microsoft has some nifty things to play around with when trying to rip apart a system. They're hidden most of the time, but they DO exist!
Debugging tools for Windows: I was pointed to this one on a service call for an Exchange problem, but it turned out to contain some very nice features. It has several tools that are replicated in the PsTools archive, such as a process lister (tlist) and a process killer (kill). A very complete kit I haven't had the chance to fully delve into.
Port Reporter: Fairly new, this particular tool tracks and logs all TCP connections made to the server. For XP and Win2003 machines the log contains, Port -> PID mapping, modules loaded as part of the process, and whether the process is a service or not. As you can see, this has the potential to be very useful as well.
Other tools:
nmap: The classic port-mapper. Now with new application-scanning ability! This new bit is quite nice. Say an attacker loads a ftp server on a well-known but seldom really used port like the Echo port. This new app-scan ability will tell you that the port there on tcp/7 isn't Echo it's "Serv-U FTP"! Handy.
OpenPorts: Yet another open-port <-> PID mapper. You'd think there was a problem identifying running processes on Windows or something. I've had good luck with this in the past, but Win2003 seems to make it a bit weird. Still plenty of Win2000 and WinNT around to use it on, though.