Back
Featured image of post Using frp for Intranet Penetration

Using frp for Intranet Penetration

A highly useful reverse proxy for intranet penetration

frp

Let’s start with an introduction:

frp is a fast reverse proxy that exposes local servers behind NAT or firewalls to the Internet. It currently supports TCP and UDP, as well as HTTP and HTTPS protocols, allowing requests to be forwarded to internal services via a domain name.

Our prerequisites are:

  • A public IP address (obtainable by purchasing a cloud server from various providers)
  • A host machine to be exposed (requires installing frp)
  • A local host accessing this host machine (may require installing frp, depending on different frp settings)

# Public IP (Cloud Server)

In frps.toml, set up as follows:

bindPort = 5000

Here, we use port 5000 for listening, which must be opened in the firewall.

# TCP Connection

If using a TCP connection, the configuration for the host machine’s frpc.toml is as follows:

serverAddr = "your cloud server's public IP"
serverPort = 5000 # consistent with bindPort's port number

[[proxies]]
name = "tcp-test"
type = "tcp"
localIP = "127.0.0.1" # can be localhost or a LAN address
localPort = 9527 # the port to expose
remotePort = 9001 # the port to access on the public server, which needs to be opened in the firewall
use_encryption = true # related to encrypting data
use_compression = true

This establishes a binding relationship of public IP:9001 -> localhost:9527. We can access public IP:9001 from an external network environment.

Using this method, anyone who knows our public IP and access port can freely use our host machine. While this might be acceptable for multiplayer gaming, it may not be suitable for SSH connections. In such cases, we need a more private approach, namely our stcp connection.

# stcp Connection

If using an stcp connection, the configuration for the host machine’s frpc.toml is as follows:

serverAddr = "your cloud server's public IP"
serverPort = 5000

[[proxies]]
name = "secret_server"
type = "stcp"
# Only users with a secretKey matching the one set here can access this service
secretKey = "123456789"
localIP = "127.0.0.1" # can be localhost or a LAN address; if it's a school server, pay attention to using its public IP address as there may be a firewall intercepting it
localPort = 12345 # the port to expose

The configuration for the local machine’s frpc.toml is as follows:

serverAddr = "your cloud server's public IP"
serverPort = 5000

[[visitors]]
name = "secret_vistor"
type = "stcp"
# The name of the stcp proxy to access
serverName = "secret_server"
secretKey = "123456789"
# Bind a local port to access the SSH service
bindAddr = "127.0.0.1"
bindPort = 6000 # the port used locally

This establishes a binding relationship of local machine 127.0.0.1:6000 -> host machine IP:12345. We can normally access the host machine’s service using 127.0.0.1:6000 in our local machine environment.

tmux Script

Typing commands manually each time is too tiring. The cloud server can keep running continuously, but when accessing from the local machine, we need to type a bunch of commands to launch it every time. Why not write a script?

We use tmux because even after closing the terminal, we can still maintain a normal connection.

The final frp.sh script is as follows:

command="~/frp/frpc -c ~/frp/frpc.toml"

# Create a tmux session named "frp"

tmux new-session -d -s frp

# Send the execution command to the tmux session

tmux send-keys -t frp "$command" ENTER
Built with Hugo | Theme Stack designed by Jimmy