A Practical Guide to Internal Network Penetration Tools: NPS, FRP, EW, and Ngrok

The article presents a penetration‑oriented overview of four popular internal network tunneling solutions, describing their basic concepts, key features, and detailed usage instructions.

1. NPS (Network Proxy Server)

NPS is a lightweight, high‑performance proxy server written in Go that supports TCP/UDP forwarding, HTTP/SOCKS5 proxy, and P2P. It requires a public‑IP server running the NPS server component and one or more internal clients (NPC).

A public‑IP server runs the NPS server.

Internal machines run the NPC client.

Installation (Linux/macOS)

cd ~
wget https://github.com/cnlh/nps/releases/download/v0.23.2/linux_amd64_server.tar.gz
tar xzvf linux_amd64_server.tar.gz
cd ~/nps

Edit the configuration file conf/nps.conf to set the web management address, username, password, and port:

web_host =
server_ip_or_domain
web_username = admin
web_password =
your_password
web_port = 8080

Modify the bridge section to change the NPC connection port if needed:

#bridge
bridge_type = tcp
bridge_port = 443   # example port
bridge_ip = 0.0.0.0

Start the server:

#Mac/Linux
./nps test|start|stop|restart|status
#Windows
nps.exe test|start|stop|restart|status

NPC Client

./npc -server=
your_ip
:8024 -vkey=
unique_key
-type=tcp

After adding a client in the web UI, you can create multiple tunnels for different protocols.

2. FRP (Fast Reverse Proxy)

FRP is a high‑performance reverse proxy supporting TCP, UDP, HTTP, HTTPS, and more. It enables exposing internal services through a public server.

Server configuration (frps.ini)

[common]
bind_port = 7000
# token for authentication
token = abcdefgh

Start the server:

./frps -c ./frps.ini

Client configuration (frpc.ini) – example for RDP:

[common]
server_addr = x.x.x.x
server_port = 7000
token = abcdefgh

[rdp]
type = tcp
local_ip = 127.0.0.1
local_port = 3389
remote_port = 6000

Start the client:

./frpc -c ./frpc.ini

Similar configurations can be used for SSH, HTTP, custom domains, static file service, dashboard, encryption/compression, TLS, bandwidth limiting, and range port mapping. Example of bandwidth limit:

[ssh]
type = tcp
local_port = 22
remote_port = 6000
use_encryption = true
use_compression = true
bandwidth_limit = 1MB

3. EW (EarthWorm)

EW is a portable network penetration tool written in C, providing SOCKS5 proxy and port forwarding. Although no longer maintained, it still offers useful features such as multi‑level proxy chaining.

Typical commands

# Forward SOCKS5 server
./ew -s ssocksd -l 1080

# Reverse SOCKS5 server (two‑step)
./ew -s rcsocks -l 1080 -e 8888   # on public host A
./ew -s rssocks -d 1.1.1.1 -e 8888   # on target host B

# Multi‑level chaining examples
./ew -s lcx_tran -l 1080 -f 127.0.0.1 -g 9999
./ew -s lcx_listen -l 1080 -e 8888
./ew -s lcx_slave -d 127.0.0.1 -e 8888 -f 127.0.0.1 -g 9999

4. Ngrok

Ngrok is a cloud‑based reverse proxy that creates a secure tunnel from a public endpoint to a local service, with traffic inspection and replay capabilities.

Typical usage:

./ngrok authtoken
your_token
./ngrok http 80   # expose local port 80
ngrok tcp 3389   # expose RDP port

Ngrok also supports file sharing with optional authentication:

ngrok http -auth="user:password" file:///Users/alan/share
ngrok http "file:///C:\\Users\\alan\\Public Folder"

For more details, refer to the official documentation at https://ngrok.com/docs.

Overall, the guide equips readers with practical knowledge to set up and use these tunneling tools for secure remote access, penetration testing, and service exposure.