Windows offer Internet Connection Sharing (ICS) for computers with WiFi capabilities. This may enable you to have the computer host a virtual Access Point or a SoftAP for you to access. One thing this is very useful for is for defeating the air gap some computers have. Of course the challenge in the first place will be to get initial access to it. The advantage of this is that it will not matter if the computer has full Internet access, firewalled or no access at all. The downside is that that in order to access the backdoor later the attacker has to be within range of the AP to access it.

To initiate the ICS feature and start the AP we have to do a few commands on the windows computer. The first thing will be to set up the Access Point and the second thing will be to activate it.
Code:
netsh wlan set hostednetwork mode ="allow" ssid="Backdoor" key="password" keyUsage="persistent"
net start SharedAccess
netsh wlan start hostednetwork
This command will give a brief overview of what was configured for the hostednetwork.
Code:
netsh wlan show hostednetwork setting=security
The ICS can be stopped with the following commands if you have the need to do so.
Code:
netsh wlan stop hostednetwork
net stop SharedAccess
And for good measure we will disallow the hostednetwork.
Code:
netsh wlan set hostednetwork mode=disallow
You can either type them in yourself, use a tool such as the USB Rubberducky or even social engineer the end user to type in the commands. After this is done you will be able to connect to the rogue AP as soon as you are within range. One thing to mention with this is that this will always use WPA2 Personal so you don't have to worry too much about other users listening in on your traffic as long as you set a decent key.
During a penetration test it is important not to leave backdoors that unethical hackers may discover and abuse. You do need administrative privileges to run these commands so you need some way of accomplishing this.