Guide to Internal Network Penetration Tools: nps, frp, EW, and ngrok

This article presents a comprehensive overview of four widely used internal network penetration tools—nps, frp, EW, and ngrok—detailing their principles, features, and practical usage scenarios.

nps is a lightweight, high‑performance proxy server written in Go that supports TCP/UDP forwarding, HTTP/SOCKS5 proxy, and P2P. It runs a server (NPS) on a public‑IP VPS and clients (NPC) inside the private network. Key configuration files include conf/nps.conf and conf/npc.conf. Example installation commands:

cd ~
wget https://github.com/ehang-io/nps/releases/download/v0.23.2/linux_amd64_server.tar.gz
tar xzvf linux_amd64_server.tar.gz
cd ~/nps

Modify conf/nps.conf to set web_host, web_port, and authentication parameters, then start the server with ./nps start. Clients are started with commands such as ./npc -server=YOUR_IP:8024 -vkey=YOUR_KEY -type=tcp.

frp (Fast Reverse Proxy) is a high‑performance reverse proxy supporting TCP, UDP, HTTP, HTTPS, and more. It consists of a server (frps) and client (frpc). Example configuration snippets:

# frps.ini
[common]
bind_port = 7000
vhost_http_port = 8080
token = abcdefgh

# frpc.ini
[common]
server_addr = x.x.x.x
server_port = 7000
token = abcdefgh
[rdp]
type = tcp
local_ip = 127.0.0.1
local_port = 3389
remote_port = 6000

Start the server with ./frps -c ./frps.ini and the client with ./frpc -c ./frpc.ini. Optional features include dashboard, TLS encryption, compression, bandwidth limiting, and range port mapping.

EW is a portable network penetration tool written in C that provides SOCKS5 proxy and port forwarding. Although no longer maintained, it still offers useful commands such as: $ ./ew -s ssocksd -l 1080 for a forward SOCKS5 server, and multi‑stage relay commands using rcsocks, rssocks, lcx_listen, lcx_tran, and lcx_slave to build complex proxy chains.

ngrok is a cloud‑based reverse proxy that creates secure tunnels from a public endpoint to a local service. After registering and installing, run: ./ngrok authtoken YOUR_TOKEN then expose a service, e.g., ./ngrok http 80 or ./ngrok tcp 3389. It also supports file sharing with optional authentication.

All tools enable exposing internal services—such as RDP, SSH, HTTP websites, and static file servers—to the internet, facilitating remote access, testing, and debugging in environments without a public IP.