Ok, this is pretty straight forward no magic:
![Screen Shot 2012-10-17 at 11.00.16 AM.png Screen Shot 2012 10 17 at 11 00 16 AM](http://www.room362.com/resource/Screen%20Shot%202012-10-17%20at%2011.00.16%20AM.png?fileId=20660662)
Got a shell, doesn't have to be SYSTEM
![Screen Shot 2012-10-17 at 11.00.44 AM.png Screen Shot 2012 10 17 at 11 00 44 AM](http://www.room362.com/resource/Screen%20Shot%202012-10-17%20at%2011.00.44%20AM.png?fileId=20660663)
Add a route to the internal range or directly to the host you want over the session you want
![Screen Shot 2012-10-17 at 11.01.23 AM.png Screen Shot 2012 10 17 at 11 01 23 AM](http://www.room362.com/resource/Screen%20Shot%202012-10-17%20at%2011.01.23%20AM.png?fileId=20660664)
Mosy on over to the Socks4a module. And in another terminal we need to make sure our proxychains.conf file in /etc/ or where ever you store your conf is correct.
![Screen Shot 2012-10-17 at 10.52.29 AM.png Screen Shot 2012 10 17 at 10 52 29 AM](http://www.room362.com/resource/Screen%20Shot%202012-10-17%20at%2010.52.29%20AM.png?fileId=20660666)
It defaults to 9050 on 127.0.01 for Tor, that's pretty easy to cope with and no reason to mess with it if you actually use it for Tor for other things.
![Screen Shot 2012-10-17 at 11.03.00 AM.png Screen Shot 2012 10 17 at 11 03 00 AM](http://www.room362.com/resource/Screen%20Shot%202012-10-17%20at%2011.03.00%20AM.png?fileId=20660667)
Run the socks proxy with the Tor-like settings. (Remember to shutdown Tor first)
![Screen Shot 2012-10-17 at 11.04.34 AM.png Screen Shot 2012 10 17 at 11 04 34 AM](http://www.room362.com/resource/Screen%20Shot%202012-10-17%20at%2011.04.34%20AM.png?fileId=20660668)
And the rest is gravy. The % (percent sign if blog software mangles it) is a delimiter that smbclient and other samba tools recognize between user and password (so it doesn't prompt you for it).
And just to love it working:
![Screen Shot 2012-10-17 at 11.04.53 AM.png Screen Shot 2012 10 17 at 11 04 53 AM](http://www.room362.com/resource/Screen%20Shot%202012-10-17%20at%2011.04.53%20AM.png?fileId=20660669)
yay files.. Yes I know I didn't use smbmount but it works the same as well as rpcclient.
A side note here is if you are using the pth-tools from:
https://code.google.com/p/passing-the-hash/
You can use hashes instead of passwords for stuff like this. But who are we kidding? Who doesn't get clear text passwords anymore ;-)