goshs
goshs is a single-binary file server written in Go that combines HTTP/S, WebDAV, FTP/SFTP, SMB, and LDAP services with built-in security features like TLS, basic auth, and credential capture. It targets red teamers, penetration testers, and developers who need a lightweight alternative to Python's SimpleHTTPServer with advanced protocol support and callback mechanisms.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | goshs-labs/goshs |
| Owner | goshs-labs |
| Primary language | Go |
| License | MIT — OSI-approved |
| Stars | 924 |
| Forks | 53 |
| Open issues | 0 |
| Latest release | v2.1.4 (2026-07-03) |
| Last updated | 2026-07-03 |
| Source | https://github.com/goshs-labs/goshs |
What goshs is
A Go-based multi-protocol server implementing HTTP/S, WebDAV, FTP/SFTP, SMB, LDAP/S with integrated features for NTLM hash capture, DNS/SMTP callback servers, payload templating ({{.LHOST}}/{{.LPORT}} substitution), token-based share links, and a TUI dashboard. Supports TLS (self-signed, Let's Encrypt, custom certs), basic auth, certificate auth, IP whitelisting, file-based ACLs, and TTL self-destruct.
Get the goshs source
Clone the repository and explore it locally.
git clone https://github.com/goshs-labs/goshs.gitcd goshs# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Single binary simplifies deployment: no runtime dependencies beyond OS-level protocols (SMB, LDAP require kernel/system support). Verify protocol stack availability on target OS before deployment.
- TLS self-signed cert generation is built-in but requires careful client certificate validation in production use; Let's Encrypt integration available but needs DNS/DNS-01 setup for engagement scenarios.
- Payload templating ({{.LHOST}}, {{.LPORT}}, custom --tpl-var) requires understanding variable scope and rendering behavior; test template expansion before live use.
- TTL self-destruct (--ttl) is process-level; restarting the process resets the timer. Not suitable for distributed or containerized deployments without external orchestration.
- Authentication (basic auth, cert-based ACLs, IP whitelist) is per-service but granularity varies; carefully document which protocols apply which auth rules.
When to avoid it — and what to weigh
- High-Volume Production File Serving — goshs is optimized for engagement and testing scenarios, not production-grade throughput. Use nginx, Apache, or S3 for stable, high-concurrency file distribution.
- Compliance-Mandated Audit Logging — No explicit mention of structured logging, log rotation, or audit trails suitable for SOC2/ISO compliance. Webhook and JSON API exist but audit sufficiency is unclear.
- Running Untrusted User Code — CLI command execution mode and dynamic payload templating introduce code execution risk. Not designed for multi-tenant or hostile input scenarios.
- Air-Gapped Environments Without Go Toolchain — Requires pre-built binary or Go installation. Package availability varies by distro (Kali, AUR, Fedora COPR, etc.) but some environments may lack it.
License & commercial use
MIT License (OSI-approved permissive license). Permits commercial use, modification, and distribution with attribution; no copyleft obligations.
MIT License explicitly allows commercial use without restriction. No proprietary code, paid features, or licensing gates observed. However, use case (red teamming, pentesting tools) may carry regulatory/compliance considerations depending on jurisdiction and application context—review your engagement terms and applicable laws.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Good |
| Assessment confidence | High |
goshs is explicitly designed for offensive security and red team operations (hash capture, credential exfiltration, JNDI/Log4Shell LDAP modes). Deployment should be restricted to controlled engagement environments with appropriate network isolation. TLS support (self-signed, Let's Encrypt) and basic/cert auth available but not mandatory; default configuration may lack encryption/authentication. SMB/LDAP/NTLM handling follows Windows protocol specs; security depends on proper configuration of domain, share names, and hash storage. Reverse shell catcher and command execution modes increase attack surface; disable if not required. No mention of rate limiting, DDoS protection, or traffic analysis evasion.
Alternatives to consider
updog (Python)
Lighter-weight single-purpose HTTP file server; goshs was inspired by it but adds multi-protocol support and red team features. Use if only HTTP/S + upload/download needed.
SimpleHTTPServer (Python stdlib)
Minimal, no dependencies, but single protocol (HTTP only), no auth, no TLS. goshs is a direct replacement with feature parity + extras.
Impacket (Python library + tools)
Modular SMB/LDAP/NTLM library used for building custom servers. More flexible for advanced protocol manipulation but requires Python + coding; goshs is pre-built and opinionated for speed.
Build on goshs with DEV.co software developers
Download the single binary, run one command, and serve files with protocol flexibility and credential capture. Available for Linux, macOS, Windows, and Docker.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
goshs FAQ
Can I use goshs for production file distribution?
Does goshs require external dependencies?
Can I capture and crack NTLM hashes?
How do I use payload templating for dynamic callbacks?
Work with a software development agency
Need help beyond evaluating goshs? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source security integrations — and maintain them long-term.
Deploy goshs in Your Next Engagement
Download the single binary, run one command, and serve files with protocol flexibility and credential capture. Available for Linux, macOS, Windows, and Docker.