Please refer to :
Bullets #1 and #7.
This is dependant on multiple varables, including (but not limited to): time, interest, potential return, information needed, target type/config, etc...If someone only had access to the compromised network and a limited time budget (meaning network scanning tools would be most efficient), what scans besides nmap and nessus would you run?
Any and all anomylous behavior (which assume a baseline against which to compare or intimate knowledge of the environment).What behavior should be scanned for?That's always a good moveVNC Servers where none should be?Traffic analysis.How can one find rogue vpn sessions?
If you compromised a machine aren't you passed the FW?How would someone get past a generic corporate class firewall and access the internal network once a machine has been compromised?You could.Or would one simply try to compromise a system in the dmz?
Again this answer depends on too many variables. How attendtive are the sysadmins? What type of systems? What type of services are offered? How much legitimate taffic is there?Based on the type of resource, what backdoors might be optimal?Tools designed to "snoop" those servicesLike what would be best for snooping email? File servers? Databases?This is a PenTesting 101 type question, if you don't know the answer you're in way over your head.How can one scan for these?