EvilZone

Thanks! I agree the metasploit unleashed page is highly mediocre, and does not provide much explanation on what is going on.
One thing i have been struggling with is how the MS08_067 module establishes it's connections to the target machine. From what I could deduce (probably incorrect) is that the module establishes a tcp connection through calling the connect() function in the TCP mixin, and then establishes an SMB connection through smb_login(). I know the SMB connection will use a TCP connection, but is it using the TCP connection established? I have found no documentation on how this is done.

Later this piece of code comes up

    handle = dcerpc_handle(      '4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0',      'ncacn_np', ["\\#{datastore['SMBPIPE']}"]    )
I know the exploit works by sending a malformed RPC packet to the server service process that can be identified by the 4b32.. code, and that the protocol used is ncacn_np Which i think is a form of Named Pipes over RPC?  I am completely baffled by how the connections all link in the end as the use of mixins abstracts what is going on. And there isn't much documentation floating around on how connections can be established in metasploit. If you guys have any info or know where i can get some on a deeper level, i'd be very grateful as it's had be stumped for a while.

Thanks.

Edit: Added code for MS08_67 module
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/smb/ms08_067_netapi.rb

I am on a deadline and only have 2 months to conclude the project, I've done alot of research and all i'm asking is resources to point me in the right direction.

 I am currently working on a project that involves attempting to exploit a target system running Windows XP SP2, and then  attacking another system through said system, and then removing all trace that the first attack occurred, essentially remaining undetectable. My question is this possible?
 
 

I only have spent about a month learning to hack so I do not know all of the  tricks that can be used. but so far I have concluded that short of physically gaining access to the other system  (via breaking in and using the computer to hack) that it is impossible to be completely undetectable. 
The Vulnerability I am using is the MS08-067 vulnerability, and I will attempt to deliver the payload via a dll injection or a shell (if I can delete logs of the new process being made), and keep the entire attack in RAM, avoiding any disk changes that can be investigated.  I will also be conscious of slack space etc. and considered powering down the victim machine after the attack to avoid the RAM persisting.
 
 

If anyone has any information on whether it is in fact possible to attack a system, delete all logs of the connection occurring etc. I would be grateful.

Thanks.

STAFF NOTE: fixed the font size cause it was hard to read