@steven what I've noticed is that I get a lot more tools that never hit those sites (and likely never will) by following certain people via say twitter, mailing lists, personal blogs. For example Chimichurri
http://www.zdnet.com/blog/security/wind ... osoft/6849
“Microsoft is aware of these issues (and other local privilege elevation issue that can be exploited by any user but I won’t be talking about it before the fix) and they will be releasing fixes and advisories in August,” Cerrudo explained.
The researcher also plans to release two exploits (called Chimichurri and Churraskito) for IIS and SQL Server. These exploits could work on other services too with some minor modifications, he said.
Chimichurri and Churraskito have been out for a little bit and they still haven't hit "tool sites":
/Chimichurri/-->This exploit gives you a Local System shell <BR>/Chimichurri/-->
Usage: Chimichurri.exe ipaddress port <BR>
(EVERYBODY uses tools)... My initial point was just you explained in your response. I tend to see a lot of questions aimed towards: "Hi do I point and click 'pwn' something!" Where my responses tend to explain certain things to enable someone to think outside the box...
Anyhow, I'd pick the top 20 "scary people I wouldn't want on my network" and follow them. For that, I name: Charlie Miller, Dave Aitel, Kostya, Dino Dai Zovi, HD Moore, Adam Shostack, Dan Guido, Pedro Amini, Alex Sotirov, Cesar Cerrudo, Halvar Flake, FX, Steven Ridley, Nico Waisman, Aaron Portnoy, Tavis Ormandy, wushi of team509, kingcope... Following those will lead you to LOTS of informative tools, methods, concepts, etc. I'd rather roll around in broken glass then fsck around even playing CTF with them.
Lastly If you can find him and or if he'd even wanna talk, (old schoolers would know him)... Eugene of the old group Ghettohackers (Where my dawg @). Probably the scariest guy I've ever corresponded with via way of security on the "hacking" level. Well him and a friend of mine named minga. (if you can find him) Your mileage may vary though, I talk to many of those listed from time to time and I admire their expertise and knowledge but am not intimidated by them so I tend to bug them like a mosquito in their ear from time to time. If I HAD to follow just 20 people, either to learn about tools, find out what *really* works, those would be them.
These guys all make tools (well most) and if they don't they know and explain enough "hardcore" stuff that'll make even the most experience security practitioner feel like a newborn. I try to follow most of their blogs, tweets, etc., and in the end, sometimes come up with my own "WTF" tools.