A Comparative Overview of Common Intranet Penetration Tools: nps, frp, EW, and ngrok

From a penetration perspective, the article summarizes several personal favorite intranet penetration and proxy tools, describing their simple principles and usage methods.

nps-npc

nps is a lightweight, high‑performance intranet penetration proxy server written in Go, supporting TCP/UDP forwarding, HTTP/SOCKS5 proxy, P2P, and a web management interface. It requires a public‑IP server running the NPS server and one or more internal machines running the NPC client.

cd ~
wget https://github.com/cnlh/nps/releases/download/v0.23.2/linux_amd64_server.tar.gz
xzvf linux_amd64_server.tar.gz
cd ~/nps

Modify conf/nps.conf to set web_host , web_username , web_password , and web_port . Start the server with ./nps test|start|stop|restart|status . On the client side, start NPC with:

./npc -server=YOUR_IP:8024 -vkey=UNIQUE_PASSWORD -type=tcp

frp

frp is a high‑performance reverse proxy focused on intranet penetration, supporting TCP, UDP, HTTP, HTTPS, and more. It offers features such as multiple protocol support, port reuse, plugins, dashboards, encryption, compression, TLS, bandwidth limiting, and range port mapping.

Typical deployment steps:

# frps.ini
[common]
bind_port = 7000
token = abcdefgh

Start the server: ./frps -c ./frps.ini . Client configuration example for RDP:

# frpc.ini
[common]
server_addr = x.x.x.x
server_port = 7000
token = abcdefgh
[rdp]
type = tcp
local_ip = 127.0.0.1
local_port = 3389
remote_port = 6000

Start the client: ./frpc -c ./frpc.ini . Similar configurations are shown for SSH, custom domain HTTP, static file service, dashboard, TLS, bandwidth limiting, and range port mapping.

EW

EW is a portable network penetration tool written in C, providing SOCKS5 proxy and port forwarding capabilities. Although no longer maintained, it supports lightweight operation, multi‑level proxy chaining, and cross‑platform usage.

Example commands:

# Forward SOCKS5 server
./ew -s ssocksd -l 1080
# Reverse SOCKS5 server (two‑step)
./ew -s rcsocks -l 1080 -e 8888
./ew -s rssocks -d 1.1.1.1 -e 8888

Multi‑level chaining examples using lcx_listen , lcx_tran , and lcx_slave are also provided.

ngrok

ngrok is a reverse proxy service that creates a secure tunnel between a public endpoint and a local web server, exposing internal services to the internet. It captures and analyzes traffic, supports authentication, and can expose HTTP, TCP, and file‑sharing services.

Typical usage after obtaining an auth token:

./ngrok authtoken YOUR_TOKEN
./ngrok http 80

Other examples include authenticated file sharing, unauthenticated file sharing, and exposing RDP (TCP 3389) via ngrok tcp 3389 . Documentation is available at https://ngrok.com/docs.