A Practical Guide to Common Intranet Penetration Tools: nps, frp, EW, and ngrok

0x00 Preface

This article summarizes several commonly used intranet penetration and proxy tools from a penetration testing perspective, introducing their basic principles and usage.

0x01 nps-npc

1.1 Introduction

nps is a lightweight, high‑performance intranet penetration proxy server supporting TCP/UDP forwarding, HTTP/SOCKS5 proxy, P2P, and a web management console.

1.2 Features

Written in Go

Cross‑platform

Supports multiple proxy protocols

Web management UI

1.3 Usage

Download from GitHub .

NPS Server

Installation & Configuration

On a public‑IP server:

cd ~
wget https://github.com/cnlh/nps/releases/download/v0.23.2/linux_amd64_server.tar.gz
tar xzvf linux_amd64_server.tar.gz
cd ~/nps

Edit conf/nps.conf to set web and bridge parameters, e.g.:

web_host= SERVER_IP_OR_DOMAIN
web_username=admin
web_password=YOUR_PASSWORD
web_port=8080

bridge_type=tcp
bridge_port=443
bridge_ip=0.0.0.0

Start Server

# Mac/Linux
./nps test|start|stop|restart|status

# Windows
nps.exe test|start|stop|restart|status

NPC Client

./npc -server=YOUR_IP:8024 -vkey=UNIQUE_PASSWORD -type=tcp

Clients can be added via the web UI, each with a unique vkey, and multiple protocol tunnels can be created per client.

0x02 frp

2.1 Introduction

frp is a high‑performance reverse proxy for intranet penetration, supporting TCP, UDP, HTTP, HTTPS, and more.

2.2 Features

Supports TCP, KCP, WebSocket

Port multiplexing

Cross‑platform (slightly fewer features than nps)

Various plugins

2.3 Usage

Download from GitHub .

RDP Access Example

# frps.ini (server)
[common]
bind_port = 7000
token = abcdefgh

# frpc.ini (client)
[common]
server_addr = x.x.x.x
server_port = 7000
token = abcdefgh

[rdp]
type = tcp
local_ip = 127.0.0.1
local_port = 3389
remote_port = 6000

Start server: ./frps -c ./frps.ini

Start client: ./frpc -c ./frpc.ini

Connect via x.x.x.x:6000 .

SSH Access Example

# frpc.ini snippet
[ssh]
type = tcp
local_ip = 127.0.0.1
local_port = 22
remote_port = 6000

Connect with ssh -oPort=6000 [email protected] .

Custom Domain HTTP Service

# frps.ini
[common]
bind_port = 7000
vhost_http_port = 8080
token = abcdefgh

# frpc.ini
[web]
type = http
local_port = 80
custom_domains = www.yourdomain.com

Configure DNS A record of www.yourdomain.com to point to the server IP, then access http://www.yourdomain.com:8080 .

File Server Plugin

# frpc.ini
[test_static_file]
type = tcp
remote_port = 6000
plugin = static_file
plugin_local_path = /tmp/file
plugin_strip_prefix = static
plugin_http_user = abc
plugin_http_passwd = abc

Browse http://x.x.x.x:6000/static/ to view files.

Dashboard, Encryption, Compression, TLS, Bandwidth Limit, Port Range

Various optional features can be enabled in frps.ini and frpc.ini such as dashboard_port , use_encryption , use_compression , tls_enable , bandwidth_limit , and range: mappings.

0x03 EW

3.1 Introduction

EW is a lightweight C‑based network penetration tool offering SOCKS5 proxy and port forwarding, but it is no longer maintained.

3.2 Features

Lightweight, written in C

Supports multi‑level proxy chaining

Cross‑platform

Only SOCKS5 proxy

3.3 Usage

Typical commands (all ports default to 1080):

# Forward SOCKS5 server
./ew -s ssocksd -l 1080

# Reverse SOCKS5 server (two‑step)
./ew -s rcsocks -l 1080 -e 8888   # on public host A
./ew -s rssocks -d 1.1.1.1 -e 8888   # on target host B

# Multi‑level chaining examples
./ew -s lc x_listen -l 1080 -e 8888
./ew -s lc x_tran -l 1080 -f 127.0.0.1 -g 9999
./ew -s lc x_slave -d 127.0.0.1 -e 8888 -f 127.0.0.1 -g 9999

0x04 ngrok

4.1 Introduction

ngrok is a reverse proxy service that creates secure tunnels from a public endpoint to a local web server, with traffic inspection and replay capabilities.

4.2 Features

Officially maintained, stable

Cross‑platform, closed source

Traffic logging and replay

4.3 Usage

Register on ngrok.com and download the binary.

Authorize with your token: ./ngrok authtoken YOUR_TOKEN

Expose a local HTTP service: ./ngrok http 80

Optional file sharing and TCP tunneling examples: ngrok http -auth="user:password" file:///Users/alan/share ngrok http "file:///C:\\Users\\alan\\Public Folder" ngrok tcp 3389

For more commands, see the official documentation.

References

Intranet Penetration Techniques

frp Simple Usage Tutorial

http://rootkiter.com/EarthWorm/