DEV.co
Open-Source Security · goshs-labs

goshs

goshs is a single-binary file server written in Go that combines HTTP/S, WebDAV, FTP/SFTP, SMB, and LDAP services with built-in security features like TLS, basic auth, and credential capture. It targets red teamers, penetration testers, and developers who need a lightweight alternative to Python's SimpleHTTPServer with advanced protocol support and callback mechanisms.

Source: GitHub — github.com/goshs-labs/goshs
924
GitHub stars
53
Forks
Go
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorygoshs-labs/goshs
Ownergoshs-labs
Primary languageGo
LicenseMIT — OSI-approved
Stars924
Forks53
Open issues0
Latest releasev2.1.4 (2026-07-03)
Last updated2026-07-03
Sourcehttps://github.com/goshs-labs/goshs

What goshs is

A Go-based multi-protocol server implementing HTTP/S, WebDAV, FTP/SFTP, SMB, LDAP/S with integrated features for NTLM hash capture, DNS/SMTP callback servers, payload templating ({{.LHOST}}/{{.LPORT}} substitution), token-based share links, and a TUI dashboard. Supports TLS (self-signed, Let's Encrypt, custom certs), basic auth, certificate auth, IP whitelisting, file-based ACLs, and TTL self-destruct.

Quickstart

Get the goshs source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/goshs-labs/goshs.gitcd goshs# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Rapid Engagement File Transfer & Hash Capture

Deploy as a single binary during penetration tests to serve payloads, capture SMB/LDAP hashes and NTLM credentials, and rotate endpoints without reconfiguring infrastructure. Eliminates dependency on Apache or Python SimpleHTTPServer.

CTF & Red Team Collaboration

Stand up ephemeral callback servers (DNS, SMTP, reverse shell catcher) with token-based share links, time/download limits, and automatic TTL self-destruct. Supports payload templating for dynamic callback configuration.

Multi-Protocol Development & Testing

Test clients against multiple protocols (HTTP/S, WebDAV, FTP/SFTP, SMB, LDAP) from a single configurable server instance. Useful for compliance testing, CI/CD integration, and local development environments.

Implementation considerations

  • Single binary simplifies deployment: no runtime dependencies beyond OS-level protocols (SMB, LDAP require kernel/system support). Verify protocol stack availability on target OS before deployment.
  • TLS self-signed cert generation is built-in but requires careful client certificate validation in production use; Let's Encrypt integration available but needs DNS/DNS-01 setup for engagement scenarios.
  • Payload templating ({{.LHOST}}, {{.LPORT}}, custom --tpl-var) requires understanding variable scope and rendering behavior; test template expansion before live use.
  • TTL self-destruct (--ttl) is process-level; restarting the process resets the timer. Not suitable for distributed or containerized deployments without external orchestration.
  • Authentication (basic auth, cert-based ACLs, IP whitelist) is per-service but granularity varies; carefully document which protocols apply which auth rules.

When to avoid it — and what to weigh

  • High-Volume Production File Serving — goshs is optimized for engagement and testing scenarios, not production-grade throughput. Use nginx, Apache, or S3 for stable, high-concurrency file distribution.
  • Compliance-Mandated Audit Logging — No explicit mention of structured logging, log rotation, or audit trails suitable for SOC2/ISO compliance. Webhook and JSON API exist but audit sufficiency is unclear.
  • Running Untrusted User Code — CLI command execution mode and dynamic payload templating introduce code execution risk. Not designed for multi-tenant or hostile input scenarios.
  • Air-Gapped Environments Without Go Toolchain — Requires pre-built binary or Go installation. Package availability varies by distro (Kali, AUR, Fedora COPR, etc.) but some environments may lack it.

License & commercial use

MIT License (OSI-approved permissive license). Permits commercial use, modification, and distribution with attribution; no copyleft obligations.

MIT License explicitly allows commercial use without restriction. No proprietary code, paid features, or licensing gates observed. However, use case (red teamming, pentesting tools) may carry regulatory/compliance considerations depending on jurisdiction and application context—review your engagement terms and applicable laws.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitGood
Assessment confidenceHigh
Security considerations

goshs is explicitly designed for offensive security and red team operations (hash capture, credential exfiltration, JNDI/Log4Shell LDAP modes). Deployment should be restricted to controlled engagement environments with appropriate network isolation. TLS support (self-signed, Let's Encrypt) and basic/cert auth available but not mandatory; default configuration may lack encryption/authentication. SMB/LDAP/NTLM handling follows Windows protocol specs; security depends on proper configuration of domain, share names, and hash storage. Reverse shell catcher and command execution modes increase attack surface; disable if not required. No mention of rate limiting, DDoS protection, or traffic analysis evasion.

Alternatives to consider

updog (Python)

Lighter-weight single-purpose HTTP file server; goshs was inspired by it but adds multi-protocol support and red team features. Use if only HTTP/S + upload/download needed.

SimpleHTTPServer (Python stdlib)

Minimal, no dependencies, but single protocol (HTTP only), no auth, no TLS. goshs is a direct replacement with feature parity + extras.

Impacket (Python library + tools)

Modular SMB/LDAP/NTLM library used for building custom servers. More flexible for advanced protocol manipulation but requires Python + coding; goshs is pre-built and opinionated for speed.

Software development agency

Build on goshs with DEV.co software developers

Download the single binary, run one command, and serve files with protocol flexibility and credential capture. Available for Linux, macOS, Windows, and Docker.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

goshs FAQ

Can I use goshs for production file distribution?
Not recommended. goshs is optimized for engagement speed and testing, not production throughput/reliability. Use nginx, Apache, or S3 for stable distribution.
Does goshs require external dependencies?
Single binary; no runtime dependencies beyond OS-level protocol support (SMB/LDAP require kernel features). TLS certs are generated on-the-fly or provided via flag.
Can I capture and crack NTLM hashes?
Yes. SMB (-smb) and LDAP (-ldap) modes capture hashes; use --ldap-wordlist to enable cracking. Requires providing a wordlist file.
How do I use payload templating for dynamic callbacks?
Use -i <LHOST> --template --tpl-var LPORT=4444 to inject variables into served files. Clients fetch with ?tpl query param to trigger rendering.

Work with a software development agency

Need help beyond evaluating goshs? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source security integrations — and maintain them long-term.

Deploy goshs in Your Next Engagement

Download the single binary, run one command, and serve files with protocol flexibility and credential capture. Available for Linux, macOS, Windows, and Docker.