What's Changed in v2.0.6

New Features

• Markdown file preview — View .md files rendered directly in the browser with syntax highlighting
• Extended file preview — Added preview support for more data types (code, documents, etc.)
• Collaborator log export — Export collaborator panel logs (HTTP, DNS, SMB, LDAP, SMTP) for offline analysis

Improvements

• Frontend modularization — Restructured monolithic main.js (2700+ lines) and style.scss into 13 focused JS modules and 14 SCSS partials, built with esbuild
• Pretty update changelog — --update now shows changelogs for all versions between your current and the latest release, rendered with terminal markdown styling
• Modernized Go code — Applied go fix across the codebase for updated Go patterns
• Added highlight.min.js, marked.min.js, and purify.min.js for frontend rendering

Bug Fixes

• Fixed broken sharelink handler
• Removed leftover build artifacts

Full Changelog: https://github.com/patrickhener/goshs/compare/v2.0.5...v2.0.6

What's new in v2.0.5

LDAP Collaborator Server

New ldapserver package providing a lightweight LDAP server for credential capture and attack scenarios:

• Simple bind capture — logs DN and cleartext passwords
• SASL PLAIN capture — decodes and logs SASL PLAIN credentials
• NTLM hash capture — full NetNTLMv2 challenge-response exchange with inline hash cracking (built-in default wordlist + optional --ldap-wordlist file), hashcat-format output
• JNDI/Log4Shell mode (--ldap-jndi) — responds to any search with a javaNamingReference entry, turning goshs into a Log4Shell exploitation endpoint
• LDAPS support — use -s -ss (self-signed) or -s -sc/-sk (custom cert) to serve LDAP over TLS; port auto-switches from 389 to 636
• WebSocket UI — all events (bind, search, NTLM) stream live to the LDAP collaborator tab with cracked-password badges
• Webhook integration — bind/search/NTLM events forwarded to Discord/Slack/etc.

New CLI flags: --ldap, --ldap-port, --ldap-jndi, --ldap-jndi-base, --ldap-wordlist

Reverse Shell Catcher (Windows support)

The interactive shell catcher now builds and runs on Windows (previously stub-only). Build constraints have been dropped and the package is fully cross-platform.

Testing

• ldapserver: 27 new tests covering BER protocol parsing, response builders, plain TCP and TLS session integration, SASL binds, JNDI search responses, and the NewLDAPServer constructor
• catcher: 29 new tests covering session lifecycle, concurrent close, manager start/stop/kill, connection acceptance, broadcast notifications, and ensureCRLF
• Fixed a bug where catcher.Listener reported Port: 0 when using OS-assigned ports

Other changes

• Bumped github.com/google/go-github to v85.0.0 (#154)
• Simplified cleanup logic in integration tests (#156, @alexandear)
• README updated with LDAP collaborator and catcher documentation

New features

Interactive shell catcher with reverse shell listeners, shell upgrade support, and a generator inspired by revshells.com. Full docs at https://goshs.de/en/usage/collaboration/catcher/index.html

Changes

I added a lot of improvements. Eliminated some bugs (and probably introduced new ones). This is more like a code quality release though.

There is now a new flag -mu --max-upload that lets you define a max upload size in bytes.

Advisories

• Fix security issue https://github.com/patrickhener/goshs/security/advisories/GHSA-rhf7-wvw3-vjvm

CSRF/CORS is not an issue anymore. I changed the ?delete and the ?mkdir handler to HTTP Verbs DELETE and POST and also added referer and origin header. This way a user will be protected against CSRF attack and curl behavior will be preserved.

Thanks again https://github.com/wooseokdotkim for contributing to the security of the project.

Testing

Improved the testing framework and added a lot of tests to get a better code coverage.

This release was published to fix checksum issues in go's proxy infrastructure and to resolve them by getting a new checksum.

goshs v2.0.0

This is a major release that significantly expands goshs beyond an HTTP file server into a full multi-protocol collaboration and capture tool.

New Protocols

SMB Server
Spin up a rogue SMB server to capture and crack NTLM hashes during penetration tests and CTF challenges.
goshs -smb -smb-domain CORP

SFTP Server
Serve files over SSH/SFTP alongside or instead of HTTP.

DNS Server
Catch out-of-band DNS callbacks — useful for SSRF detection and blind injection testing.
goshs -dns -dns-ip

SMTP Server
Receive emails including attachments, logged and forwarded to webhooks. Requires a domain to prevent open relay abuse.
goshs -smtp -smtp-domain your-domain.com

Collaboration Mode

A new real-time collaboration panel brings together all active servers in one view:

• Live HTTP request log
• Live DNS query log
• Live SMTP inbox (with attachment display)
• Live SMB NTLM hash capture
• Live clipboard sync across sessions

New Features

• Redirect endpoint — issue HTTP redirects with custom status codes and headers via ?redirect&url=...&status=301&header=... — useful for SSRF and open redirect testing
• Dark / light theme — full UI redesign with theme toggle and new logo
• SMB webhook events — NTLM captures are forwarded to your configured webhook
• NTLM quick cracker — captured SMB hashes are automatically tested against a built-in list of known/common passwords
• Info endpoint — JSON endpoint exposing server configuration and state
• Clipboard live update — clipboard contents sync in real time across all connected clients
• Recursive .goshs auth — per-directory auth files now apply recursively to subdirectories
• Config file improvements — cleaner structure, new fields for all v2 server modes

Security Fixes

Several vulnerabilities reported by the community were fixed during the beta cycle:

• Path traversal sanitization across all handlers (GHSA-6qcc-6q27-whp8)
• Token bypass allowing unauthenticated upload/delete/CLI via WebDAV (GHSA-jgfx-74g2-9r6g)
• SFTP server port confusion bug (GHSA-2943-crp8-38xx)
• Auth bypass via .goshs files not applying recursively (GHSA-wvhv-qcqf-f3cx)
• Five additional security advisories resolved (GHSA-5h6h-7rc9-3824, GHSA-c29w-qq4m-2gcv, GHSA-jrq5-hg6x-j6g3, GHSA-7h3j-592v-jcrp, GHSA-hpxj-9fgp-fhhf)

Thanks to the security contributors: @marduc812, @autobot23920, @R1ZZG0D, @jaisurya-me, and @Guilhem7.

Installation

go install goshs.de/goshs@latest

Or grab a binary from the releases page.

Big update

I implemented a smb server that also catches and cracks hashes (NetNTLMv2/v1+ESS) against a static wordlist and iterations of username and domain. You can also provide a wordlist to try and crack against.

Other than that the smb server also serves files. Expect it to be a bit buggy, as SMB is basically a huge protocol.

Have fun and leave feedback as issues if you encounter anything unusual.

Security

• Fix a bug where the wrong port was used in sftpserver and fix the security issue reported at https://github.com/patrickhener/goshs/security/advisories/GHSA-2943-crp8-38xx. Thanks again @marduc812 for reporting the issue.
• Fix security issue reported at: https://github.com/patrickhener/goshs/security/advisories/GHSA-wvhv-qcqf-f3cx. Also make .goshs auth work recursive. Thanks again @R1ZZG0D for reporting the issue.

New feature

• Implemented Issue #138, which introduces a ?redirect handler, that let's you redirect on purpose. Good for CTF environments.

Security Fix

This release fixes three security issues reported as Advisories:

• https://github.com/patrickhener/goshs/security/advisories/GHSA-6qcc-6q27-whp8
• https://github.com/patrickhener/goshs/security/advisories/GHSA-g8mv-vp7j-qp64
• https://github.com/patrickhener/goshs/security/advisories/GHSA-jg56-wf8x-qrv5

Add sanitize paths in general throughout all handlers. Thanks again @autobot23920 for contributing.

Security Issue

Shoutouts to marduc812 for finding and reporting a security issue, i fixed with this release: https://github.com/patrickhener/goshs/security/advisories/GHSA-jgfx-74g2-9r6g

Additionally

• SMTP can now be bound to a domain via --smpt-domain, so no open-relay is created
• main.go has been restructured for better code quality and readability

All new UI/UX

This is a beta release of the all new v2.0.0. I did a complete UI/UX redesign. There happened a lot behind the scenes, but I don't want to bother you with it. Basically it is a complete redesign including the templates, css and javascript functions.

Added Features

There is now a collaborator tab, similar to burps collaborator. You can now run a DNS server and a SMTP server. As long, as your domain points to your goshs instance, you can use it like a collaborator to catch mail and dns requests. Also a full http log can now be found in the collaborator tab. There you can see information like you were able to using -V (verbose mode). This is very useful for exfiltration of information in CTF - CSRF - XSS scenarios.

New Feature

v1.1.4 adds a new feature where you can tunnel goshs to localhost.run to make it available online even if your network can not be reached directly from the internet. For more information look at https://localhost.run/.

Bug Fix

• Fixed an upload problem tracked in Issue #134.

Changelog

• New Feature: Invisible mode. Read more on that at https://goshs.de/en/usage/restrictions/index.html#be-invisible-invisible-mode
• made mDNS opt-in instead of opt-out

Fixes

• fixed silent mode a bit

Issues

• Addressing the wrong upload behavior reported in issue #128
• Addressing a cosmetic issue in #127

README.md

• Adding star history

Smaller updates

• You can now disable mDNS
• Clipboard order is now reversed
• You can now specify a different upload folder
• Smaller bugfixes

New Features

This release adds a new feature. When using authentication (basic auth or cert auth) you can now share files using a download limit or a time limit. So anyone with the link can now download the file (or a folder as zip file) when clicking the link, even without authentication.

Styleup

Also there is now a QRCode generator for general file or folder links, so you can easily grab files on a mobile device.