v2.0.8  ·  Single Binary  ·  Zero Config

Beyond
Python's http.server

A single-binary file server built for pentesters and CTF players. HTTP/S, WebDAV, SFTP, SMB, LDAP/S, NTLM hash capture, DNS/SMTP callbacks — all from one command, zero dependencies.

★ Star on GitHub  ·  858 ▶ Live Demo 📚 Docs
curl -sSfL https://goshs.de/install.sh | sh

Already trusted by 858 developers, engineers and security professionals

goshs web interface screenshot

Everything you need. One binary.

No configuration files required. No dependencies. Download and run.

📁

File Operations

Download, upload via drag & drop or POST/PUT, delete, bulk ZIP download, and QR code generation for instant mobile access.

🔌

Multiple Protocols

HTTP/S, WebDAV, SFTP, SMB, and LDAP/S. Pick what your target supports — or run them all at once from a single process.

🔒

Auth & Security

Basic auth, certificate-based auth, TLS (self-signed, Let's Encrypt, or custom cert), IP allowlist, per-file ACLs.

⚙️

Flexible Modes

Read-only, upload-only, no-delete, silent (no directory listing), invisible, or CLI command execution mode.

🔗

Share Links

Generate token-based share links with configurable download-count and time-based expiry for secure, one-shot file sharing.

🎯

Red Team & CTF

SMB NTLM hash capture + cracking, LDAP credential capture + NTLM hash cracking, JNDI mode for Log4Shell, DNS/SMTP out-of-band callbacks, reverse shell catcher + payload generator, redirect endpoint.

Unique
🔔

Integrations

Webhooks (Discord, Mattermost, Slack), tunnel via localhost.run with TOFU SSH key pinning, mDNS discovery, and config file support.

🛠️

Quality of Life

Dark and light themes, clipboard integration, one-command self-update, tab completion for bash/fish/zsh (goshs --completion bash|fish|zsh), structured log output, drop privileges after bind.

Built for the field

Your engagement companion

goshs was built by a pentester, for pentesters. When you're mid-engagement and need to catch credentials fast or stand up a callback server in seconds, goshs has your back.

  • SMB server captures NTLM hashes and cracks them inline with a wordlist
  • LDAP server catches credentials and NTLM hashes — JNDI mode for Log4Shell
  • DNS + SMTP server catches out-of-band callbacks from blind injections
  • Reverse shell catcher with integrated one-click payload generator
  • Redirect endpoint for phishing simulation and SSRF testing
  • Tunnel via localhost.run — expose goshs publicly in one flag
engagement — goshs
$ goshs -smb -smb-domain CORP \ -smb-wordlist /usr/share/wordlists/rockyou.txt [*] SMB server listening on :445 [*] Waiting for NTLM authentication...   [+] Hash: CORP\jdoe::CORP:aa1122...:3f4a... [+] Cracked: jdoe : P@ssw0rd123   $ goshs -dns -dns-ip 1.2.3.4 \ -smtp -smtp-domain callback.corp [*] DNS server listening on :53 [*] SMTP server listening on :25 [+] DNS callback: app-server.internal → 1.2.3.4 [+] SMTP: received mail from app@corp.local

Up in seconds

One command is all it takes — for any use case.

Serve the current directory
$ goshs Serving '.' on http://0.0.0.0:8000
HTTPS with basic auth
$ goshs -s -ss -b user:secret Serving '.' on https://0.0.0.0:8000 Basic auth enabled
Running different protocols
$ goshs -w -sftp -smb -b user:pass Serving '.' on https://0.0.0.0:8000 WebDAV, SFTP, SMB and Basic auth enabled
Capture LDAP credentials (Log4Shell)
$ goshs -ldap \ -ldap-wordlist rockyou.txt LDAP/JNDI server on :1389 [+] Credential captured & cracked
Capture DNS and SMTP events
$ goshs -dns -dns-port 53 -smtp \ -smtp-port 25 -smtp-domain evil.com DNS server on :53, SMTP server on :25 [+] DNS and SMTP events captured
Invisible with WebHooks
$ goshs --invisible --webhook \ -Wp discord -Wu <webhook-url> Running fully invisible Sending events to webhook...

How goshs compares

Side-by-side against the most common alternatives.

Feature Python
http.server		 updog miniserve goshs
★ recommended
Core
Single binary / zero runtime
File upload
HTTPS / TLS
Authentication Password only
Bulk ZIP download
Protocols
WebDAV Read-only
SFTP
SMB
Pentest & CTF
DNS callback server
SMTP callback server
Mattermost / Discord / Slack webhooks
Invisible mode
NTLM hash capture & cracking
Reverse shell catcher
Log4Shell / LDAP JNDI

Frequently asked questions

Everything you need to know about goshs.

What is goshs?+

goshs is a single-binary Go HTTP server designed for pentesters and CTF players. It replaces Python's http.server with support for HTTP/S, WebDAV, SFTP, SMB, LDAP/S, DNS callbacks, SMTP callbacks, Mattermost/Discord/Slack webhooks, invisible mode, and more — all from one command with zero dependencies.

What protocols does goshs support?+

goshs supports HTTP, HTTPS, WebDAV, SFTP, SMB (with NTLM hash capture), LDAP/S (with JNDI mode for Log4Shell), DNS (out-of-band callback server), and SMTP (email callback server). Multiple protocols can run simultaneously from a single process.

How do I run goshs in invisible mode?+

Pass the --invisible flag: goshs --invisible. In invisible mode goshs serves files without displaying a directory listing, making the server presence less obvious to anyone browsing to it. Combine with --webhook to receive Mattermost, Discord, or Slack notifications for every download or upload.

Does goshs support Mattermost webhooks?+

Yes. goshs supports Mattermost, Discord, and Slack webhooks natively. Use -W -Wu <webhook-url> -Wp Mattermost to send real-time notifications for uploads, downloads, deletes, DNS callbacks, SMTP events, and more. Which events trigger notifications is configurable via -We.

Can I use goshs for CTF challenges and penetration testing?+

Absolutely — goshs was built for exactly this. It ships with an SMB server that captures and optionally cracks NTLM hashes inline, an LDAP server with JNDI mode for Log4Shell, out-of-band DNS and SMTP callback servers, a reverse shell catcher with a one-click payload generator, redirect endpoints for SSRF testing, and a tunnel mode via localhost.run to expose goshs publicly in one flag.

Is goshs written in Go (golang)?+

Yes. goshs is written entirely in Go, which is why it compiles to a single static binary with no runtime dependencies. You can install it directly via the Go toolchain: go install goshs.de/goshs/v2@latest

Install your way

Available on every major platform and package manager.

🐧
curl | sh
curl -sSfL https://goshs.de/install.sh | sh
🐉
Kali Linux & Parrot OS
sudo apt install goshs
🎗️
Arch Linux (AUR)
yay -S goshs-bin
🖤
BlackArch
pacman -S goshs
🏔️
Alpine Linux (edge)
apk add goshs
🫙
Snap
snap install goshs
🎩
Fedora / RHEL (COPR)
dnf copr enable patrickhener/goshs && dnf install goshs
🦎
openSUSE
sudo zypper install goshs
❄️
Nix / NixOS
nix-env -iA nixpkgs.goshs
🐧
curl | sh
curl -sSfL https://goshs.de/install.sh | sh
🍺
Homebrew
brew install goshs
❄️
Nix / NixOS
nix-env -iA nixpkgs.goshs
🪟
Scoop
scoop bucket add extras && scoop install extras/goshs
🪟
winget
winget install PatrickHener.Goshs
🍫
Chocolatey
choco install goshs
🦫
Go
go install goshs.de/goshs/v2@latest
🐳
Docker
docker run --rm -it -p 8000:8000 \
  -v "$PWD:/pwd" patrickhener/goshs:latest -d /pwd
📦
GitHub Releases

Pre-built binaries for Linux, macOS, and Windows — additional .deb and .rpm packages — no Go toolchain required.

Download Release →

Join 858 ★ users

goshs is free and open source, forever. A star on GitHub helps others discover it.

★ Star on GitHub Read the Docs →