Master Intranet Penetration: A Practical Guide to nps, frp, EW, and ngrok

Introduction

This article, from a penetration testing perspective, summarizes several commonly used intranet penetration and proxy tools, explaining their basic principles and usage methods.

nps (nps‑npc)

Overview : nps is a lightweight, high‑performance intranet penetration proxy server supporting TCP/UDP forwarding, HTTP/SOCKS5 proxy, P2P, and a web management console.

Requires a public‑IP server running the NPS server.

One or more internal machines run the NPC client.

Features : written in Go, cross‑platform, supports multiple proxy protocols, web UI.

Installation & configuration :

cd ~
wget https://github.com/cnlh/nps/releases/download/v0.23.2/linux_amd64_server.tar.gz
tar xzvf linux_amd64_server.tar.gz
cd ~/nps
vim conf/nps.conf
# edit web_host, web_username, web_password, web_port, etc.

Client side:

./npc -server=YOUR_IP:8024 -vkey=YOUR_KEY -type=tcp

The web management console can add clients; each client can create multiple protocol tunnels.

frp

Overview : frp is a high‑performance reverse proxy for intranet penetration, supporting TCP, UDP, HTTP, HTTPS, and more.

Supports TCP, KCP, WebSocket.

Port reuse allows multiple services to share one server port.

Cross‑platform with many plugins.

Basic usage:

# frps.ini
[common]
bind_port = 7000
token = abcdefgh

# frps -c ./frps.ini

# frpc.ini
[common]
server_addr = x.x.x.x
server_port = 7000
token = abcdefgh

[ssh]
type = tcp
local_ip = 127.0.0.1
local_port = 22
remote_port = 6000

Run ./frps -c ./frps.ini on the server and ./frpc -c ./frpc.ini on the client.

Advanced features include a dashboard, encryption/compression, TLS, bandwidth limiting, and range port mapping.

EW (EarthWorm)

Overview : EW is a lightweight C‑based network penetration tool providing SOCKS5 proxy and port forwarding.

Lightweight, written in C.

Supports multi‑level proxy.

Cross‑platform, but only SOCKS5.

Example commands:

# Forward SOCKS5 server
./ew -s ssocksd -l 1080

# Reverse SOCKS5 server
./ew -s rcsocks -l 1080 -e 8888
./ew -s rssocks -d 1.1.1.1 -e 8888

# Multi‑level chaining
./ew -s lcx_listen -l 1080 -e 8888
./ew -s lcx_tran -l 1080 -f 127.0.0.1 -g 9999

ngrok

Overview : ngrok is a reverse proxy service that creates secure tunnels from a public endpoint to a local web server, offering traffic inspection and replay capabilities.

Officially maintained, stable.

Cross‑platform, closed source.

Provides traffic logs and replay.

Basic usage:

./ngrok authtoken YOUR_TOKEN
./ngrok http 80          # expose local port 80
./ngrok tcp 3389         # expose RDP

File sharing examples:

ngrok http -auth="user:password" file:///Users/alan/share
ngrok http "file:///C:\Users\alan\Public Folder"

Reference links: internal penetration articles, frp tutorial, EW documentation, ngrok documentation.