v2.0.6  ·  Single Binary  ·  Zero Config

Beyond
Python's http.server

A single-binary file server built for pentesters and CTF players. HTTP/S, WebDAV, SFTP, SMB, LDAP/S, NTLM hash capture, DNS/SMTP callbacks — all from one command, zero dependencies.

★ Star on GitHub  ·  787 ▶ Live Demo 📚 Docs
go install goshs.de/goshs/v2@latest

Already trusted by 787 developers, engineers and security professionals

goshs web interface screenshot

Everything you need. One binary.

No configuration files required. No dependencies. Download and run.

📁

File Operations

Download, upload via drag & drop or POST/PUT, delete, bulk ZIP download, and QR code generation for instant mobile access.

🔌

Multiple Protocols

HTTP/S, WebDAV, SFTP, SMB, and LDAP/S. Pick what your target supports — or run them all at once from a single process.

🔒

Auth & Security

Basic auth, certificate-based auth, TLS (self-signed, Let's Encrypt, or custom cert), IP allowlist, per-file ACLs.

⚙️

Flexible Modes

Read-only, upload-only, no-delete, silent (no directory listing), invisible, or CLI command execution mode.

🔗

Share Links

Generate token-based share links with configurable download-count and time-based expiry for secure, one-shot file sharing.

🎯

Red Team & CTF

SMB NTLM hash capture + cracking, LDAP credential capture + NTLM hash cracking, JNDI mode for Log4Shell, DNS/SMTP out-of-band callbacks, reverse shell catcher + payload generator, redirect endpoint.

Unique
🔔

Integrations

Webhooks, tunnel via localhost.run with TOFU SSH key pinning, mDNS discovery, and config file support.

🛠️

Quality of Life

Dark and light themes, clipboard integration, one-command self-update, structured log output, drop privileges after bind.

Built for the field

Your engagement companion

goshs was built by a pentester, for pentesters. When you're mid-engagement and need to catch credentials fast or stand up a callback server in seconds, goshs has your back.

  • SMB server captures NTLM hashes and cracks them inline with a wordlist
  • LDAP server catches credentials and NTLM hashes — JNDI mode for Log4Shell
  • DNS + SMTP server catches out-of-band callbacks from blind injections
  • Reverse shell catcher with integrated one-click payload generator
  • Redirect endpoint for phishing simulation and SSRF testing
  • Tunnel via localhost.run — expose goshs publicly in one flag
engagement — goshs
$ goshs -smb -smb-domain CORP \ -smb-wordlist /usr/share/wordlists/rockyou.txt [*] SMB server listening on :445 [*] Waiting for NTLM authentication...   [+] Hash: CORP\jdoe::CORP:aa1122...:3f4a... [+] Cracked: jdoe : P@ssw0rd123   $ goshs -dns -dns-ip 1.2.3.4 \ -smtp -smtp-domain callback.corp [*] DNS server listening on :53 [*] SMTP server listening on :25 [+] DNS callback: app-server.internal → 1.2.3.4 [+] SMTP: received mail from app@corp.local

Up in seconds

One command is all it takes — for any use case.

Serve the current directory
$ goshs Serving '.' on http://0.0.0.0:8000
HTTPS with basic auth
$ goshs -s -ss -b user:secret Serving '.' on https://0.0.0.0:8000 Basic auth enabled
Running different protocols
$ goshs -w -sftp -smb -b user:pass Serving '.' on https://0.0.0.0:8000 WebDAV, SFTP, SMB and Basic auth enabled
Capture LDAP credentials (Log4Shell)
$ goshs -ldap \ -ldap-wordlist rockyou.txt LDAP/JNDI server on :1389 [+] Credential captured & cracked
Capture DNS and SMTP events
$ goshs -dns -dns-port 53 -smtp \ -smtp-port 25 -smtp-domain evil.com DNS server on :53, SMTP server on :25 [+] DNS and SMTP events captured
Invisible with WebHooks
$ goshs --invisible --webhook \ -Wp discord -Wu <webhook-url> Running fully invisible Sending events to webhook...

Install your way

Available on every major platform and package manager.

🦫
Go
go install goshs.de/goshs/v2@latest
🐉
Kali Linux & Parrot OS
sudo apt install goshs
🎗️
Arch Linux (AUR)
yay -S goshs-bin
🦎
openSUSE
sudo zypper install goshs
❄️
Nix / NixOS
nix-env -iA nixpkgs.goshs
🍺
Homebrew
brew install goshs
🪟
Scoop (Windows)
scoop install extras/goshs
🐳
Docker
docker run --rm -it -p 8000:8000 \
  -v "$PWD:/pwd" patrickhener/goshs:latest -d /pwd
📦
GitHub Releases

Pre-built binaries for Linux, macOS, and Windows — no Go toolchain required.

Download Release →

Join 787 ★ users

goshs is free and open source, forever. A star on GitHub helps others discover it.

★ Star on GitHub Read the Docs →