Goshs

Offensive & Pentesting

A single‑binary, multi‑protocol file server for quick HTTP/S, WebDAV, FTP/SFTP, SMB, LDAP and more with built‑in auth, capture and share features

Track releases GitHub Website

Go Latest v2.1.0 · 5d ago Security brief →

Features

Supports HTTP / HTTPS, WebDAV, FTP/SFTP, SMB, LDAP/S and DNS/SMTP callbacks in one binary
Offers basic auth, TLS (self‑signed or custom), IP whitelisting, file ACLs and certificate auth
Provides share links with download/time limits and QR code generation
Captures SMB NTLM hashes, LDAP credentials and can crack them with wordlists

Recent releases

View all 21 releases →

Upgrade now

v2.1.0 Mixed 5d

Auth

Security + Bug fixes + Repository move

Open

No immediate action

v2.0.8 Bug fix 21d

Self‑update fix

Open

Review required

v2.0.7 Breaking risk 22d

Auth RCE / SSRF

--update broken

Open

v2.0.6 Breaking risk 1mo

Notable features

Markdown (.md) file preview with syntax highlighting in the browser
Extended preview support for additional data types (code, documents, etc.)
Collaborator panel log export covering HTTP, DNS, SMB, LDAP, and SMTP

Full changelog

What's Changed in v2.0.6

New Features

Markdown file preview — View .md files rendered directly in the browser with syntax highlighting
Extended file preview — Added preview support for more data types (code, documents, etc.)
Collaborator log export — Export collaborator panel logs (HTTP, DNS, SMB, LDAP, SMTP) for offline analysis

Improvements

Frontend modularization — Restructured monolithic main.js (2700+ lines) and style.scss into 13 focused JS modules and 14 SCSS partials, built with esbuild
Pretty update changelog — --update now shows changelogs for all versions between your current and the latest release, rendered with terminal markdown styling
Modernized Go code — Applied go fix across the codebase for updated Go patterns
Added highlight.min.js, marked.min.js, and purify.min.js for frontend rendering

Bug Fixes

Fixed broken sharelink handler
Removed leftover build artifacts

Full Changelog: https://github.com/patrickhener/goshs/compare/v2.0.5...v2.0.6

View release on GitHub

v2.0.5 New feature 1mo

Notable features

LDAP collaborator server with simple bind, SASL PLAIN, NTLM hash capture (built‑in wordlist and optional custom list), JNDI/Log4Shell mode, LDAPS support, WebSocket UI for live events, and webhook integration
Cross‑platform Windows support for the interactive reverse shell catcher

Full changelog

What's new in v2.0.5

LDAP Collaborator Server

New ldapserver package providing a lightweight LDAP server for credential capture and attack scenarios:

Simple bind capture — logs DN and cleartext passwords
SASL PLAIN capture — decodes and logs SASL PLAIN credentials
NTLM hash capture — full NetNTLMv2 challenge-response exchange with inline hash cracking (built-in default wordlist + optional --ldap-wordlist file), hashcat-format output
JNDI/Log4Shell mode (--ldap-jndi) — responds to any search with a javaNamingReference entry, turning goshs into a Log4Shell exploitation endpoint
LDAPS support — use -s -ss (self-signed) or -s -sc/-sk (custom cert) to serve LDAP over TLS; port auto-switches from 389 to 636
WebSocket UI — all events (bind, search, NTLM) stream live to the LDAP collaborator tab with cracked-password badges
Webhook integration — bind/search/NTLM events forwarded to Discord/Slack/etc.

New CLI flags: --ldap, --ldap-port, --ldap-jndi, --ldap-jndi-base, --ldap-wordlist

Reverse Shell Catcher (Windows support)

The interactive shell catcher now builds and runs on Windows (previously stub-only). Build constraints have been dropped and the package is fully cross-platform.

Testing

ldapserver: 27 new tests covering BER protocol parsing, response builders, plain TCP and TLS session integration, SASL binds, JNDI search responses, and the NewLDAPServer constructor
catcher: 29 new tests covering session lifecycle, concurrent close, manager start/stop/kill, connection acceptance, broadcast notifications, and ensureCRLF
Fixed a bug where catcher.Listener reported Port: 0 when using OS-assigned ports