In real time scenarios, it is unlikely to get any of the previous methods working, unless it is within a network, since firewalls these days can perform deep packet inspection and stop such connections.

In such scenarios we can have our connections encapsulated within a HTTP Tunnel to trick the firewall into allowing the connection.

Scenario/Goal

Let there be 3 systems - A, B and C.

A -> B is possible through http and random port 1234

B -> C is on the same network with access to the service running on C

A -> C There is no accessibility between the two. They could be in completely different networks or a firewall could prevent them from connecting

Install HTTP Tunnel on System A & B

sudo apt install httptunnel

System B

To begin with we will create a SSH tunnel from our compromized Linux system to the Windows machine RDP port,

ssh -L 0.0.0.0:8888:172.16.1.30:3389 user@127.0.0.1

The above command will forward anything received on port 8888 to the rdp port of the Windows system.

Next we will create a hts server that will decapsulate the packets received on port 1234 (since this is open in the firewall) and forward it to 8888,

hts --forward-port localhost:8888 1234

System A

Next we create a listening service on the Kali machine to take our request and encapsulate it to forward to the 1234 service that we had created earlier on system B,

htc --forward-port 8080 192.168.1.20:1234

With this all traffic sent to port 8080 will be tunneled to the Windows machine through the Linux system.

rdp 127.0.0.1 8080

This will give us a remote of the Windows machine.