Master Intranet Penetration: NPS, FRP, EW, and Ngrok Explained

Intranet Penetration Tools Overview

From a penetration perspective, this article summarizes several commonly used intranet‑penetration and proxy tools, explains their simple principles, and provides step‑by‑step usage instructions.

1. nps / npc

nps is a lightweight, high‑performance, feature‑rich intranet‑penetration proxy server written in Go. It supports TCP/UDP forwarding, HTTP/SOCKS5 proxy, P2P, and includes a powerful web management console.

Written in Go

Cross‑platform

Supports multiple proxy protocols

Web management UI

Installation & Configuration

cd ~
wget https://github.com/cnlh/nps/releases/download/v0.23.2/linux_amd64_server.tar.gz
tar xzvf linux_amd64_server.tar.gz
cd ~/nps

Edit conf/nps.conf to set the web host, username, password, and port:

web_host=YOUR_SERVER_IP_OR_DOMAIN
web_username=admin
web_password=YOUR_PASSWORD
web_port=8080

Start the server (Linux/Mac):

./nps test|start|stop|restart|status

Configure the client (npc) similarly and start it:

./npc -server=YOUR_SERVER_IP:8024 -vkey=UNIQUE_PASSWORD -type=tcp

2. frp

frp is a high‑performance reverse proxy focused on intranet penetration, supporting TCP, UDP, HTTP, HTTPS, and more. It enables exposing internal services through a public server.

Supports TCP, KCP, WebSocket

Port reuse for multiple services

Cross‑platform (slightly fewer features than nps)

Extensible plugins

Installation & Configuration

Download the latest release:

wget https://github.com/fatedier/frp/releases/download/v0.38.0/frp_0.38.0_linux_amd64.tar.gz
tar xzvf frp_0.38.0_linux_amd64.tar.gz
cd frp_0.38.0_linux_amd64

Server configuration ( frps.ini) example:

[common]
bind_port = 7000
token = abcdefgh
# optional dashboard
#dashboard_port = 7500
#dashboard_user = admin
#dashboard_pwd = admin

Client configuration ( frpc.ini) for RDP access:

[common]
server_addr = x.x.x.x
server_port = 7000
token = abcdefgh

[rdp]
type = tcp
local_ip = 127.0.0.1
local_port = 3389
remote_port = 6000

Start the server and client:

./frps -c ./frps.ini
./frpc -c ./frpc.ini

Access the remote desktop via x.x.x.x:6000.

3. EW

EW is a portable network‑penetration tool written in C, providing a SOCKS5 server and port‑forwarding capabilities. Although no longer maintained, it still offers useful features such as multi‑level proxy chaining.

Lightweight, C language

Supports multi‑level proxy

Cross‑platform

Only SOCKS5 proxy is supported

Typical Commands

# Forward a local SOCKS5 server on port 1080
./ew -s ssocksd -l 1080

# Reverse SOCKS5 server (public host A receives connections on 8888)
./ew -s rcsocks -l 1080 -e 8888   # on host A
./ew -s rssocks -d 1.1.1.1 -e 8888 # on target host B

# Multi‑level chaining example (three‑level)
./ew -s rcsocks -l 1080 -e 8888
./ew -s lcx_slave -d 127.0.0.1 -e 8888 -f 127.0.0.1 -g 9999
./ew -s lcx_listen -l 9999 -e 7777
./ew -s rssocks -d 127.0.0.1 -e 7777

4. ngrok

ngrok is a reverse proxy service that creates a secure tunnel from a public endpoint to a locally running web server, allowing internal services to be exposed to the internet. It also provides traffic inspection and replay features.

Officially maintained, stable

Cross‑platform, closed source

Traffic logging and replay (paid feature)

Basic Usage

# Register on https://ngrok.com/, download the binary and add your auth token
./ngrok authtoken YOUR_AUTHTOKEN

# Expose local port 80 as an HTTP service
./ngrok http 80

ngrok will output a public URL that forwards to your local service. Additional examples:

# Share a local folder with authentication
ngrok http -auth="user:password" file:///Users/alan/share

# Share a Windows folder without authentication
ngrok http "file:///C:\Users\alan\Public Folder"

# Expose RDP (TCP 3389) to the internet
ngrok tcp 3389

For more detailed commands and options, refer to the official ngrok documentation.

Common Features Across Tools

Dashboard / status panels for monitoring (nps, frp)

Optional encryption and compression to bypass firewalls

Bandwidth limiting per proxy

Range port mapping for bulk TCP/UDP forwarding

Support for custom domains and TLS (frp, ngrok)

These tools enable developers and operations engineers to securely expose internal services, perform remote debugging, and facilitate testing in environments without a public IP.