set SMBUser [User] set COMMAND [command you want to run at the command line] exploit
Figure 73 - qwinsta
If you remember in the beginning during the setting up your box phase, you had the option of enabling logging for Metasploit. This is one area that where logging can be very helpful. If you want to execute code on/24 network or larger, the output is going to be pretty extensive. If you need to parse through it, it is much easier to have Metasploit log the traffic and grep that file.13 In the previous command, I was able to run the qwinsta command on every host and link IPs with usernames. If I have a list of IT administrators, I can go directly attack their box instead of compromising all the hosts on the network.
If you were lucky enough to get a local administrative account or a domain admin account, the next target is usually the Domain Controller (DC). One of the happiest moments for any pentester is when they successfully pull all the hashes out of the DC. Even with administrative credentials, we don’t have access to read the hashes on the Doman Controller that are stored in the c:\Windows\NTDS\ntds.dit file. This is because that file is readlocked as Active Directory constantly accesses it. The solution to this problem is using the Shadow Copy functionality natively in Windows to create a copy of that file.14