- The history is editable by default. If I move to a previous history line and change it, the old line disappears. Hitting Ctrl-c will remove it from the history.

- If I use simultaneous shells (screen, tmux, or several ssh connections), the history saved will be the one of the last shell to quit. The bash config `histappend` should be the default, IMO.

- Most of the time, I search the history by the beginning of the command I just typed, which zsh maps to alt-p and which bash does not map by default. I rarely use the ctrl-r search.

- No way to pause a command and view the man. With zsh, `git clone<alt-h>` will display `man git-clone`, then return to the incomplete command line.

- No way to set a command aside. E.g. if I realise while typing that I'm not in the right directory, `git clone<alt-q>cd src<return>`.

Press M-r to revert back to the original command.

> - No way to set a command aside. E.g. if I realise while typing that I'm not in the right directory, `git clone<alt-q>cd src<return>`.

Press M-# to comment out the current command and go to a new prompt, then up to get the commented command back, and M-3 M-# to uncomment it and run it (any number works, but 3 is the same key as #).

I think if bash had some interactive help with this magic when it appears then it would be a lot more helpful and a lot less magical.

bind -P | grep '\\e'

https://www.gnu.org/software/bash/manual/

My favorite by far is '\e.' or 'M-.' which inserts the last arg from your previous command. Discovering this led me down the bash rabbit-hole of finding new commands, creating my own and really enjoying the bash shell. Did you know you can execute arbitrary code as one of these commands? I had one that ran 'docker ps' so I could list my containers in the middle of typing a command.

With bash I’d just Ctrl+a and type “cd src ;” and then press ctrl+e and continue typing what I was typing.

I got so used to doing it that way, that even after switching to zsh I still do it this way.

The disadvantage of my way of doing it is if you typo the path. But I tab complete pretty much always, so in practice I don’t have the problem of typoing directory names without noticing.

I probably should learn those zsh ways of doing things. Will try to remember to do it the zsh way next time I need to do something like the things you mentioned.

$ : Command that has an error

I can then cd to the right directory, or fix whatever other problem I had, then use up-arrow to get back to the command, remove the : and space and run it.

The : (no op) command is fairly obscure and some of the other suggestions here are probably better.

- Oh-my-zsh has a lot of plugins for auto-completion

- FZF (fuzzy finder), for command history is a big hit (supports bash too)

I then used "stock zsh" and running commands was fine except some autocompletes like git-autocomplete were terribly slow and, for example, did not support `git switch`. This broke my workflow and it was easier to just go back to bash than to figure out how zsh works. I found that autocomplete in zsh is a lot more opaque than in bash. I'm sure there are ways to fix it. My way was to switch to bash.

(Now I use magit so the need is lessened.)

As does bash-completion, which is available in many (but not all :-/) Linux distros and via Homebrew on MacOS and [pre-dates](https://github.com/scop/bash-completion/tree/09b07d57a7031d9...) [oh-my-zsh](https://github.com/ohmyzsh/ohmyzsh/tree/5da20b9dddb1f7a91106...) by about 6 years.

But, zsh users and oh-my-zsh fan-boys seem to be entirely ignorant of bash-completion.

Not enough drama in the world already?

> If you are using Bash and you have the option of using ZSH, you should switch to it. ZSH has additional auto-complete and history features that Bash doesn’t have (but don't worry - those features will not be relevant to this tutorial.)

oh-my-zsh seems to be recommended by a lot of developers in this company, even though: * the default mechanism to install is curl|sh (there is no Homebrew package) on developer machines which have privileged access to a lot of resources * installing it via its recommended installation procedure on dev machines would violate company policies, whereas installing bash-completion wouldn't

Yours ain't it.

^A, ^K, m, a, n, space, ^Y, enter. Upon exit, ^Y.

> No way to set a command aside.

^A, ^K. Grab it again with ^Y.

(Yes, these are all readline shortcuts. If you think they’re a bit long, bind them to something shorter in your inputrc.)

I have used Linux for a decade now and I just got a friend interested in it and his pick was Kali because he was interested in learning about security stuff.

I took a quick look at it and saw that it was debian based and XFCE is my favourite desktop environment so I figured he'd be alright with it.

It also defaulted to running as a root user for everything, but they recently changed that.

Run it on a second laptop, on a USB stick, or in a virtual machine (that you cede access to the networking hardware).

IMO there are the young script kiddie types that have it on their main laptop to be cool, but yeah I don't see people using it except for work purposes.

You'd think a decent Bluetooth risk tool was more relevant given the covid19 dependency on more bt always on and so more bt drive-by

> You can do a lot of advanced things with bash, and customize it to do even more, but ZSH allows you to do even more.

Bash can do a lot of things zsh can’t, and vice versa.

> Fish is a nice shell (probably nicer than ZSH), but realistically it was not a real consideration due to the fact that it is not POSIX compatible.

Neither is zsh, really. There’s emulation modes but I never got the impression that fidelity was a goal there.

Also what can bash do that zsh can’t? Genuinely curious, after using both for years.

I have noticed that a lot of the features listed in https://www.gnu.org/software/bash/manual/bash.html#Major-Dif... aren't present in zsh, but I am not sure of all the ones that aren't in zsh.

Ones that I have used in bash that aren't in zsh (there may be many more, I stopped using zsh in many scenarios because of some of these):

* Some of https://www.gnu.org/software/bash/manual/bash.html#Shell-Par... (e.g at least ${LOGNAME^^}, `(FOO=BAR;echo ${FOO,,})`)

* -p option to read for the prompt, e.g. `read -s -p "Enter the DB password: " PW`

"Zsh is able to emulate POSIX shells, but its default mode is not POSIX compatible, either."

from http://zsh.sourceforge.net/Doc/Release/index.html

AFAICT this is the entire motivation provided. Since they start with stating that it's a very large change, It would be useful to flesh out the motivation a bit. For instance, some concrete examples of those "even more" things that you can do with zsh but not with bash would go a long way.

    /u<TAB>lo<TAB>b

    C() { cd `$HOME/path-selector.sh "$@"`; }

Opt-in bash extensions can do basically whatever people complain bash can't do. Though to be honest I don't use it that much over the last, say, 5 years. If I know a deep directory tree that well, I can just type it explicitly and/or tab complete it without losing much time. If I don't know it that well, FZF is quite nice.

What to you have in your bashrc to allow cd'ing in directories without typing cd?

But you can enable it in bash, the option has the same name as in zsh: autocd. Just run "shopt -s autocd".

I've been wanting to explore that branch for a long time, I'd really appreciate some great resources for an engineer with no pentesting experience.

Disclaimer: I'm not particularly good at this, so whatever comments I make are well intentioned but may be of varying accuracy.

...

Online sources:

* https://hackthissite.org Wargaming site. Plenty of challenges to practice, but some are a bit outdated.

* OWASP.org is a good place to find info. If you look something up, there's a good chance you will find it here.

* https://owasp.org/www-project-web-security-testing-guide/ Thanks to redis_mic for this one.

* https://overthewire.org Similar to HTS, but you don't need an account. The subject matter covered is also slightly different.

* https://0x00sec.org/ A forum dedicated to security. There's a lot of script kiddies, but also some gold.

* https://www.hackerone.com/ What better way to learn then practice on live targets? That being said, I would do some of the others first.

...

I do a lot of learning through reading, so books:

* Network Security Assessment by Chris McNab. I have second edition, which is a good and instructive read, but quite outdated.

* Real-World Bug Hunting by Peter Yaworski. Web security 101. Good read, and fairly useful.

* Advanced Penetration Testing by Wil Allsop. Outdated, but interesting. You will never use flash again after reading this.

* Social Engineering, The Science of Human Hacking by Christopher Hadnagy. This is a very interesting read. Also, one of the few that can't go out of date.

...

This should be enough to get you started. There's a couple more books I can think of, but they tend to be more specialized into certain fields of security and less approachable/generally applicable. If you want these recommendations as well, feel free to email me, my email's in my bio.

  - "Black Hat Go" - https://nostarch.com/blackhatgo  
  - "Black Hat Python" - https://nostarch.com/blackhatpython  
  - "Web Security for Developers" - https://nostarch.com  /websecurity  
  - "Cracking Codes with Python" - https://nostarch.com/crackingcodes

Thats free, and a great place to start if you are not sure if this field is right for you. Only needs a time investment.

Bundled with this I also got several (i.e many) hours of recorded and narrated video to accompany the pdf.

The best part though is the lab network. During the course I had access to a huge number of virtual machines to scan and exploit. The courseware really encourages you to experiment and evolve. The exam, if you want to try it, is an all out practical pentest from start to finish and 24h to complete. A comprehensive report covering the entire pentest is mandatory.

All in all the OSCP was totally worth the $ IMHO.

I do however recommend that total beginners should start with the free resources and other great sites like overthewire. Get your feet REALLY wet before you pay the $ and lab days start ticking.

I have an actual nextstation in my parents garage. I wonder if it's on that...

Zsh was placed onto the hard drive of the computer by the operating system installation cd and was an available executable program that could be invoked from the terminal.

There, is that better?

Must have been some confusion here.

The executable is on the machine. An operating system can have more than a single shell executable. Do you want me to post the binary? Screen shots? Maybe turn on an ssh hole? Perhaps send the man page? I can do all of this.

You can log in remotely and run it if you so desire.

I might be able to coerce VNC even although I'd probably need up port it to openstep (I've ported vnc before). Maybe there's a virtual box way of doing it as well

What is the purpose of this distro in regards to that?

I'm sure nobody who uses Kali needs it to exist, but that doesn't mean it doesn't add value.

It's Debian Live, so you can extend or customize it to suit a particular need. That it is ready to run and leaves no trace adds a lot of value.

You may not win a bounty from a vendor, but it's pretty trivial to take their app, add it to an image and expose potential vectors.

Your own PIR may benefit from the forensics tools (without the lead time of getting them working).

It doesn't deliver any 'security' on its own.