Ok, this is pretty straight forward no magic:

Got a shell, doesn’t have to be SYSTEM

Add a route to the internal range or directly to the host you want over the session you want

Mosy on over  to the Socks4a module. And in another terminal we need to make sure our proxychains.conf file in /etc/ or where ever you store your conf is correct. 

It defaults to 9050 on 127.0.01 for Tor, that’s pretty easy to cope with and no reason to mess with it if you actually use it for Tor for other things.

Run the socks proxy with the Tor-like settings. (Remember to shutdown Tor first)

And the rest is gravy. The % (percent sign if blog software mangles it) is a delimiter that smbclient and other samba tools recognize between user and password (so it doesn’t prompt you for it).

And just to love it working:

yay files.. Yes I know I didn’t use smbmount but it works the same as well as rpcclient.

A side note here is if you are using the pth-tools from:

https://code.google.com/p/passing-the-hash/

You can use hashes instead of passwords for stuff like this. But who are we kidding? Who doesn’t get clear text passwords anymore ;-)