Mastering Intranet Penetration: A Practical Guide to nps, frp, EW, and ngrok

0x00 Introduction

This article summarizes several commonly used intranet penetration and proxy tools from a penetration perspective, introducing their basic principles and usage methods.

0x01 nps-npc

1.1 Overview

nps is a lightweight, high‑performance, feature‑rich intranet penetration proxy server. It currently supports TCP and UDP forwarding, any upper‑layer protocol, internal HTTP/SOCKS5 proxy, P2P, and includes a powerful web management console.

A public‑IP server (VPS) runs the NPS server.

One or more internal machines run the NPC client.

1.2 Features

Written in Go.

Cross‑platform.

Supports multiple proxy protocols.

Web management UI.

1.3 Usage

Download: https://github.com/ehang-io/nps/releases

Installation & Configuration

On the server, extract the appropriate package:

cd ~
wget https://github.com/cnlh/nps/releases/download/v0.23.2/linux_amd64_server.tar.gz
tar xzvf linux_amd64_server.tar.gz
cd ~/nps

Edit conf/nps.conf to set web parameters:

web_host= SERVER_IP_OR_DOMAIN
web_username=admin
web_password=YOUR_PASSWORD
web_port=8080

Adjust the #bridge section to change the NPC connection port if needed:

bridge_type=tcp
bridge_port=443   # modify connection port
bridge_ip=0.0.0.0

Start NPS

# Mac/Linux
./nps test|start|stop|restart|status

# Windows
nps.exe test|start|stop|restart|status

Start NPC

./npc -server=YOUR_IP:8024 -vkey=UNIQUE_PASSWORD -type=tcp

After creating a client, the web UI allows adding connections; each connection receives a unique vkey. Multiple tunnels of different protocols can be created per client.

Through different protocols and ports, the proxy can reach internal machines.

0x02 frp

2.1 Overview

frp is a high‑performance reverse proxy focused on intranet penetration, supporting TCP, UDP, HTTP, HTTPS and more, allowing internal services to be exposed to the public internet via a public‑IP node.

2.2 Features

Client‑server communication supports TCP, KCP, WebSocket, etc.

Port multiplexing.

Cross‑platform (slightly fewer protocols than nps).

Various plugins provide extra functions.

2.3 Usage

Download: https://github.com/fatedier/frp/releases

1. RDP access to home machine

Configure frps.ini with matching token for authentication:

# frps.ini
[common]
bind_port = 7000
token = abcdefgh

Start the server: ./frps -c ./frps.ini Configure frpc.ini (replace x.x.x.x with the server IP):

# frpc.ini
[common]
server_addr = x.x.x.x
server_port = 7000
token = abcdefgh

[rdp]
type = tcp
local_ip = 127.0.0.1
local_port = 3389
remote_port = 6000

Start the client and connect via RDP to x.x.x.x:6000.

2. SSH access to corporate intranet

Similar configuration with an [ssh] section and remote_port = 6000. Connect using:

ssh -p 6000 [email protected]

3. Expose internal web service via custom domain

Set vhost_http_port = 8080 in frps.ini, then in frpc.ini:

[web]
type = http
local_port = 80
custom_domains = www.yourdomain.com

After DNS A‑record points to the server IP, access the service at http://www.yourdomain.com:8080.

4. Simple file server

Enable the static_file plugin in frpc.ini to expose a directory over HTTP with optional authentication.

[test_static_file]
type = tcp
remote_port = 6000
plugin = static_file
plugin_local_path = /tmp/file
plugin_strip_prefix = static
plugin_http_user = abc
plugin_http_passwd = abc

Browse http://x.x.x.x:6000/static/ to view files.

2.4 Common Features

Dashboard

Enable a status dashboard by adding dashboard_port = 7500 and credentials in frps.ini, then visit http://[server_addr]:7500.

Encryption & Compression

Set use_encryption = true and/or use_compression = true in a proxy section to secure or compress traffic.

From v0.25.0, TLS can be enabled with tls_enable = true in the common section.

Bandwidth limiting

Use bandwidth_limit = 1MB (or KB) in a proxy definition.

Port range mapping

Define a [range:test_tcp] section with local_port = 6000-6006,6007 to create multiple proxies automatically.

0x03 ew

3.1 Overview

EW is a portable network penetration tool offering SOCKS5 service and port forwarding; it is no longer maintained.

3.2 Features

Lightweight, written in C.

Supports multi‑level proxy chaining.

Cross‑platform.

Only supports SOCKS5.

3.3 Usage

All examples assume the SOCKS5 port is 1080.

Forward SOCKS5 server

$ ./ew -s ssocksd -l 1080

Reverse SOCKS5 server

$ ./ew -s rcsocks -l 1080 -e 8888
$ ./ew -s rssocks -d 1.1.1.1 -e 8888

Multi‑level chaining

$ ./ew -s lcx_listen -l 1080 -e 8888
$ ./ew -s lcx_tran -l 1080 -f 2.2.2.3 -g 9999
$ ./ew -s lcx_slave -d 1.1.1.1 -e 8888 -f 2.2.2.3 -g 9999

Example of three‑level chaining:

$ ./ew -s rcsocks -l 1080 -e 8888
$ ./ew -s lcx_slave -d 127.0.0.1 -e 8888 -f 127.0.0.1 -g 9999
$ ./ew -s lcx_listen -l 9999 -e 7777
$ ./ew -s rssocks -d 127.0.0.1 -e 7777

0x04 ngrok

4.1 Overview

ngrok is a reverse proxy that creates a secure tunnel between a public endpoint and a local web server, exposing internal services to the internet and providing traffic inspection and replay.

4.2 Features

Officially maintained, generally stable.

Cross‑platform, closed source.

Traffic logging and replay.

4.3 Usage

Register on https://ngrok.com/, download the binary.

Authorize with the token:

Expose a local HTTP service:

Expose a file directory (with or without auth) and TCP ports using appropriate commands.

More details are available at https://ngrok.com/docs.