Common intranet penetration tools, put them away!

Author: V0WKeep3r\

0x00 Preface

From the perspective of penetration, this paper summarizes several commonly used intranet penetration and Intranet agent tools, and introduces their simple principles and application methods.

0x01 nps-npc


nps is a lightweight, high-performance and powerful intranet penetration proxy server. At present, it supports tcp and udp traffic forwarding, supports any tcp and udp upper layer protocols (access to intranet website, local payment interface debugging, ssh access, remote desktop, intranet dns resolution, etc.), in addition, it also supports intranet http proxy, intranet socks5 proxy, p2p, etc., and has a powerful web management terminal.

  • A server with public IP (VPS) runs the server (NPS)
  • One or more servers or PC clients (NPC s) running on the Intranet

1.2 features

  • Written in Go language
  • Support cross platform
  • Agent supporting multiple protocols
  • web management end

1.3 application method


Installation configuration

Find the corresponding version of your server:

cd ~wget xzvf linux_amd64_server.tar.gzcd ~/nps

There will be an NPs executable file, conf configuration directory and web page directory under the NPs directory. We only need to modify conf/nps.conf:

vim conf/nps.conf

You need to change #web the following parameters,

web_host= The server IP Or domain name web_username= admin(Login user name) web_password= Your password web_port=8080(web (management port)

Modifying #bridge can change the connection port of NPC. For example, if we get a server with limited permissions and a firewall, maybe only some ports (80443) can go out of the network, so we need to modify it into an out of network port.

##bridgebridge_type=tcpbridge_port=443    # Modify connection port bridge_ip=


#Mac/Linux./nps test|start|stop|restart|status  Test profile|start-up|stop it|restart|state#Windowsnps.exe test|start|stop|restart|status test configuration file | start | stop | restart |


./npc -server=Yours IP:8024 -vkey=Unique authentication password -type=tcp

After creating a new client, you can also see the detailed client connection commands in +:

web management end

In the client interface, you can add client connections by adding new ones. The vkey of each connection is unique.

After establishing a connection, each client can establish multiple tunnels with different protocols, which are different agents.

The agent's intranet machine can be connected through different protocols and ports.

0x02 frp

2.1 introduction

frp is a high-performance reverse proxy application focusing on Intranet penetration. It supports TCP, UDP, HTTP, HTTPS and other protocols. The intranet service can be exposed to the public network in a safe and convenient way through the transit with public network IP nodes.

2.2 features

  • Client server communication supports TCP, KCP, Websocket and other protocols.
  • Port multiplexing: multiple services are exposed through the same server port.
  • Cross platform, but less supported than nps
  • A variety of plug-ins provide many functions

2.3 application method


The following is taken from:

1. Access home machines through rdp

Modify the frps.ini file. For security reasons, it is best to configure authentication here. If the token parameters in the common configuration of the server and the client are consistent, the authentication passes:

# frps.ini[common]bind_port = 7000# For authentication, please modify it yourself to ensure that the server is consistent with the client. token = abcdefgh

Start frps:

./frps -c ./frps.ini

Modify the frpc.ini file and assume that the public IP of the server where frps is located is x.x.x.x:

# frpc.ini[common]server_addr = x.x.x.xserver_port = 7000# For authentication, please modify it yourself to ensure that the server is consistent with the client. token = abcdefgh[rdp]type = tcplocal_ip = = 3389remote_port = 6000

Start frpc:

./frpc -c ./frpc.ini

Access the remote machine through rdp at:


Startup and self start

For Windows system, for ease of use, you can configure silent startup when starting up.

Create a start in the peer directory of frpc.exe_ frpc.vbs:

'start_frpc.vbs'Please modify the path according to the actual situation CreateObject("WScript.Shell").Run """D:\Program Files\frp_windows_amd64\frpc.exe""" & "-c" & """D:\Program Files\frp_windows_amd64\frpc.ini""",0

Copy start_frpc.vbs file, open the following directory, and note that


Change to your user name:

C:\Users\<USER_NAME>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

Right click and paste as a shortcut.

\2. Access the intranet machine of the company through SSH

The deployment steps of frps are the same as above.

Start frpc and configure as follows:

# frpc.ini[common]server_addr = x.x.x.xserver_port = 7000# For authentication, please modify it yourself to ensure that the server is consistent with the client. token = abcdefgh[ssh]type = tcplocal_ip = = 22remote_port = 6000

Access the intranet machine through SSH, assuming that the user name is test:

ssh -oPort=6000 test@x.x.x.x

\3. Access the Web services deployed in the intranet through the custom domain name

Sometimes we want others to access or test the Web services we built locally through the domain name, but because the local machine has no public IP, it is unable to resolve the domain name to the local machine. This function can be realized through frp. The following example is HTTP service. The configuration method of HTTPS service is the same, vhost_http_port is replaced by vhost_https_port and type can be set to HTTPS.

Modify the frps.ini file and set the http access port to 8080:

# frps.ini[common]bind_port = 7000vhost_http_port = 8080# For authentication, please modify it yourself to ensure that the server is consistent with the client. token = abcdefgh

Start frps:

./frps -c ./frps.ini

Modify the frpc.ini file and assume that the IP of the server where frps is located is x.x.x.x, local_port is the port corresponding to the Web service on the local machine. Bind the user-defined domain name

# frpc.ini[common]server_addr = x.x.x.xserver_port = 7000# For authentication, please modify it yourself to ensure that the server is consistent with the client. token = abcdefgh[web]type = httplocal_port = 80custom_domains =

Start frpc:

./frpc -c ./frpc.ini

Resolve the domain name A record of to IP x.x.x.x. if the server already has A corresponding domain name, you can also resolve the CNAME record to the original domain name of the server.

Access via browser You can access the Web service on the intranet machine.

\4. Provide simple external file access services

Through static_ The file plug-in can provide a simple HTTP based file access service.

The deployment steps of frps are the same as above.

Start frpc and enable static_file plug-in, configured as follows:

# frpc.ini[common]server_addr = x.x.x.xserver_port = 7000# For authentication, please modify it yourself to ensure that the server is consistent with the client token = abcdefgh[test_static_file]type = tcpremote_port = 6000plugin = static_file# File directory to be exposed plugin_local_path = /tmp/file# Access the prefix that will be removed from the url, and the reserved content is the file path plugin to be accessed_ strip_ prefix = staticplugin_ http_ user = abcplugin_ http_ passwd = abc

Access via browser http://x.x.x.x:6000/static/ To view the files located in the / tmp/file directory, you will be asked to enter the set user name and password.

2.4 common functions

\1. Statistics panel (Dashboard)

View frp status and proxy statistics through the browser.

Note: the Dashboard has not been optimized for a large number of proxy data display. If the Dashboard access is slow, please do not enable this function.

You need to specify the port used by the dashboard service in frps.ini to enable this function:

[common]dashboard_port = 7500# The user name and password of dashboard are admindashboard by default_ user = admindashboard_ pwd = admin

Open the browser and access the dashboard interface through http://[server_addr]:7500. The user name and password are admin by default.

2. Encryption and compression

These two functions are not enabled by default. You need to configure frpc.ini to enable encryption and compression for the specified agent. The compression algorithm uses snappy:

# frpc.ini[ssh]type = tcplocal_port = 22remote_port = 6000use_encryption = trueuse_compression = true

If the company's intranet firewall identifies and shields the traffic of external network access, such as prohibiting SSH protocol, set use_encryption = true, encrypting and transmitting the communication content between frpc and frps will effectively prevent the traffic from being intercepted.

If the length of the transmitted message is long, set use_compression = true compresses the transmitted content, which can effectively reduce the network traffic between frpc and frps and speed up the traffic forwarding speed, but it will consume some additional CPU resources.


Since version v0.25.0, encrypted transmission through TLS protocol is supported between FRPC and frps. By configuring TLS in common of frpc.ini_ Enable = true to enable this function for higher security.

For port multiplexing, the first byte of frp establishing TLS connection is 0x17.

Note: after enabling this function, you do not need to set use except xtcp_ encryption.

3. Agency speed limit

At present, it is supported to set the speed limit of proxy level in the proxy configuration of the client to limit the bandwidth that a single proxy can occupy.

# frpc.ini[ssh]type = tcplocal_port = 22remote_port = 6000bandwidth_limit = 1MB

Add bandwidth in agent configuration_ The limit field enables this function. Currently, only MB and KB units are supported.

4. Range port mapping

Mapping multiple ports can be specified in the configuration file of frpc. At present, only tcp and udp types are supported.

This function is realized through the range: paragraph tag. The client will parse the configuration in this tag and split it into multiple proxies. Each proxy is named after a number.

For example, to map the six local ports 6000-6005 and 6007, the main configurations are as follows:

# frpc.ini[range:test_tcp]type = tcplocal_ip = = 6000-6006,6007remote_port = 6000-6006,6007

After the actual connection is successful, 8 proxies will be created and named test_tcp_0, test_tcp_1 ... test_tcp_7.

0x03 ew

3.1 introduction

EW is a portable network penetration tool with two core functions of SOCKS v5 service erection and port forwarding. It can complete network penetration in complex network environment. However, the tools are not updated now...

3.2 features

  • Lightweight, written in C language
  • Multi level proxy can be set
  • Cross platform
  • However, only Socks5 agents are supported

3.3 application method

The following methods of use are taken from:

In the following examples, unless otherwise specified, the proxy port is 1080 and the service is SOCKSv5 proxy service

The tool has six command formats (socksd, rcsocks, rssocks, lcx_slave, lcx_listen, lcx_tran).

1. Forward SOCKS v5 server

$ ./ew -s ssocksd -l 1080

2. Rebound SOCKS v5 server

This operation is divided into two steps:
a) First run the following command on A host A with public ip:

$ ./ew -s rcsocks -l 1080 -e 8888

b) Start the SOCKS v5 service on the target host B and bounce back to port 8888 of the public network host

$ ./ew -s rssocks -d -e 8888


3. Multistage cascade

The three port forwarding instructions included in the tool have the following parameter formats:

$ ./ew -s lcx_listen -l  1080   -e 8888  $ ./ew -s lcx_tran   -l  1080   -f -g 9999  $ ./ew -s lcx_slave  -d -e 8888    -f  -g  9999

Through these port forwarding instructions, TCP based services deep in the network can be forwarded to the root, such as SOCKS v5. First, two "two cascade" local SOCKS test samples are provided:

a) lcx_ Usage of tran

$ ./ew -s ssocksd  -l 9999$ ./ew -s lcx_tran -l 1080 -f -g 9999

b) lcx_listen,lcx_ Usage of slave

$ ./ew -s lcx_listen -l 1080 -e 8888$ ./ew -s ssocksd    -l 9999$ ./ew -s lcx_slave  -d -e 8888 -f -g 9999

A "three-level cascade" local SOCKS test case is provided for reference

$ ./ew -s rcsocks -l 1080 -e 8888 $ ./ew -s lcx_slave -d -e 8888 -f -g 9999  $ ./ew -s lcx_listen -l 9999 -e 7777  $ ./ew -s rssocks -d -e 7777

Data flow: socks V5 - > 1080 - > 8888 - > 9999 - > 7777 - > rssocks

0x04 ngrok

4.1 introduction

Ngrok is a reverse proxy. By establishing a secure channel between the public endpoint and the locally running Web server, the services of the intranet host can be exposed to the Internet. Ngrok can capture and analyze the traffic on all channels for later analysis and playback, so ngrok can easily assist the server program testing.

4.2 features

  • Official maintenance, generally stable
  • Cross platform, closed source
  • It has the function of traffic recording and retransmission

4.3 application method

  • Enter the official website of ngrok( ), register the ngrok account and download the ngrok;
  • Run the following authorization command according to the authorization code given on the official website;
  • ./ngrok authtoken 1hAotxhmORtzCYvUc3BsxDBPh1H_******************
  • . / ngrok http 80 exposes the machine's port 80 http service to the public network, and provides a public domain name.

You can view data packets and traffic through the UI interface of the official website (but you have to pay = =,)

You can also expose intranet files and other TCP services to the public network through some commands.

Authorized settings file sharing

ngrok http -auth="user:password" file:///Users/alan/share

Unauthorized settings file sharing

ngrok http "file:///C:\Users\alan\Public Folder"

Expose the TCP port 3389 of the host to the public network

ngrok tcp 3389

For more usage reference:

0xFF reference link

Intranet penetration

Open source intranet penetration tool frp simple tutorial

Recent hot article recommendations:

1.1000 + Java interview questions and answers (2021 latest version)

2.Stop playing if/ else on the full screen. Try the strategy mode. It's really fragrant!!

3.what the fuck! What is the new syntax of xx ≠ null in Java?

4.Spring Boot 2.6 was officially released, a wave of new features..

5.Java development manual (Songshan version) is the latest release. Download it quickly!

Feel good, don't forget to like + forward!

Tags: Java

Posted on Wed, 24 Nov 2021 21:23:41 -0500 by HK2ALL