Release v2.0.0 · patrickhener/goshs

goshs v2.0.0

This is a major release that significantly expands goshs beyond an HTTP file server into a full multi-protocol collaboration and capture tool.

New Protocols

SMB Server
Spin up a rogue SMB server to capture and crack NTLM hashes during penetration tests and CTF challenges.
goshs -smb -smb-domain CORP

SFTP Server
Serve files over SSH/SFTP alongside or instead of HTTP.

DNS Server
Catch out-of-band DNS callbacks — useful for SSRF detection and blind injection testing.
goshs -dns -dns-ip

SMTP Server
Receive emails including attachments, logged and forwarded to webhooks. Requires a domain to prevent open relay abuse.
goshs -smtp -smtp-domain your-domain.com

Collaboration Mode

A new real-time collaboration panel brings together all active servers in one view:

Live HTTP request log
Live DNS query log
Live SMTP inbox (with attachment display)
Live SMB NTLM hash capture
Live clipboard sync across sessions

New Features

Redirect endpoint — issue HTTP redirects with custom status codes and headers via ?redirect&url=...&status=301&header=... — useful for SSRF and open redirect testing
Dark / light theme — full UI redesign with theme toggle and new logo
SMB webhook events — NTLM captures are forwarded to your configured webhook
NTLM quick cracker — captured SMB hashes are automatically tested against a built-in list of known/common passwords
Info endpoint — JSON endpoint exposing server configuration and state
Clipboard live update — clipboard contents sync in real time across all connected clients
Recursive .goshs auth — per-directory auth files now apply recursively to subdirectories
Config file improvements — cleaner structure, new fields for all v2 server modes

Security Fixes

Several vulnerabilities reported by the community were fixed during the beta cycle:

Path traversal sanitization across all handlers (GHSA-6qcc-6q27-whp8)
Token bypass allowing unauthenticated upload/delete/CLI via WebDAV (GHSA-jgfx-74g2-9r6g)
SFTP server port confusion bug (GHSA-2943-crp8-38xx)
Auth bypass via .goshs files not applying recursively (GHSA-wvhv-qcqf-f3cx)
Five additional security advisories resolved (GHSA-5h6h-7rc9-3824, GHSA-c29w-qq4m-2gcv, GHSA-jrq5-hg6x-j6g3, GHSA-7h3j-592v-jcrp, GHSA-hpxj-9fgp-fhhf)

Thanks to the security contributors: @marduc812, @autobot23920, @R1ZZG0D, @jaisurya-me, and @Guilhem7.

Installation

go install goshs.de/goshs@latest

Or grab a binary from the releases page.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

v2.0.0

Choose a tag to compare

Sorry, something went wrong.

Sorry, something went wrong.

Uh oh!

No results found

Contributors

Uh oh!