PowerShell 101: an alternative to command line on Linux and Mac

The Command Line Interface (CLI) in Windows® exists and resists the passage of time, from those distant days of MS-DOS® to the current PowerShell 101. Let’s see the basic PowerShell.

When I went to college in the 1980s, proprietary software reigned. The old German computers with Unix® that printed our schedules were being replaced by “modern” personal computers. The Microsoft® software house – at that time – was tied to MS-DOS®, so we learned to use the commands: dir, cls, format for our floppy disks…

A little over a decade ago, back in Redmond they decided to dust off, modernize and empower the CLI. Born as Monad®, renamed PowerShell®, today we present you with the basic PowerShell or PowerShell 101.

Description: Basic Powershell – Logo
(Wikipedia https://commons.wikimedia.org/wiki/File:PowerShell_5.0_icon.png)

Basic PowerShell

The Linux operating system has been going on strong; there are many articles in Pandora FMS blog about it. Also in the monitoring of proprietary systems we are always present; Windows®, as its maximum exponent. And every time a new version comes out we’re there, testing and checking.

I think, because of this Linux thing, Microsoft decided to make a compilation of tools along with new concepts, as a counterpart to the GNU features that come with Linux. Considering that PowerShell Core exists since 2016 as open software (MIT license) but with Windows® proprietary components, now we have it available in Ubuntu, CentOS (the OS recommended for Pandora FMS) and macOS and even in another hardware architecture such as ARM.

Installing PowerShell Core at Linux

In Ubuntu we must install the package manager snap: with sudo apt install snap we will achieve our mission. Next we’ll run snap install powershell -classic

Description: snap install powershell – classic

First commands

Having launched with the command pwsh (in Windows® we should look for powershell.exe), we will have a terminal window, with “PS” of indicative (prompt) followed by the location of the directory. In both environments the aspect is very similar, so we will generalize from now on.

Then let’s put our memory into practice:

• cls: “clears” the screen, leaving space to execute a new cycle of commands. It’s not necessary at all, but it’s similar to writing with chalk on a blackboard and erasing to begin to explain another subject.
• dir -ad: to list directories only.
• echo message: when we want to show specific text on the screen. This doesn’t seem to be useful, but when we integrate it in a script it is of tremendous utility to indicate the progress of some task or the result of the same one.

We won’t delay any longer with the old MS-DOS commands. In the twenty-first century, we would need to continue using such old technology, and in the process with those old programs that communicated or interacted with text strings (STDIN, STDOUT).

Basic Command-let in PowerShell 101

In the 21st century everything is more complex, they are years of accumulated experience. PowerShell 101 is not a simple tool like the one we use in Linux. For this tool there are command-let and its name is abbreviated as cmdlet. This means that the commands we tested are not really the ones we thought they were: they are aliases of the default cmdlet and this allows backward compatibility. Now, there’s more. Let’s analyse the case of the command date, used to remunerate the date.

Its real name is Get-Date and although it returns in a slightly different format the current date and time to that of the alias, basically both do the same thing. For monitoring tasks we need to deliver that value in a very specific format: this is when the cmdlets do their job in a totally different way.

Description: «Working with cmdlet with date and time variables»

With the cmdlet Get-Date we can:

• Display the date of the computer.
• Display it in a custom format.
• Use methods; in this case we visualize what day number is the date May 20, 2019 (it is the 140th day of the year).
• Save a date variable in a custom format.
• Convert this variable to a text string and save it in a file.
• Notice that we have used the pipe to communicate one cmdlet with another. The cmdlet you receive used to write to disk is called Add-Content. (Don’t you remember Linux?).
• The reading counterpart is Get-Content and its alias is called… “cat”, just like the one used in Linux to list the contents of a text file!

Take a pause, check this before moving on to the next point.

Working with cmdlet

With all this as a base, we can stop thinking of basic Powershell as a tool and start evoking it as a toolbox. To do this we will use the Get-Command command:

Using it without any parameter will give us back a lot of tools; the ones we have installed in our computer.

If we inquire about a particular command, for example Get-Command Get-Date will return information about the command type, name, version and source (the library it belongs to). For Get-Date it will indicate that it is a cmdlet belonging to Microsoft.PowerShell.Utility and for Clear-Host (clear screen, cls) that it is simply a function. Entering an alias will return the original cmdlet or function.

If we don’t remember the name exactly we’ll use wildcards; for example, with Get-Command *date* we’ll get a list of all the commands that contain that string.

Help with basic Powershell

The help was also thought as a repository, since with the Get-Help command we can also download content to our computer:

• Get-Help Get-Date: will show complete information about how to use Get-Date, its syntax, its aliases, etc.
• Get-Help Get-Date -Online: will open an instance of our web browser and open the latest online information about the Get-Date command.
  To work offline, i.e. to save the updated help: Update-Help.

Using Get-Help, let’s learn about the commands Get-Location and Set-Location.

Let’s suppose we have to create a folder or a file; for this we will no longer use the command md or mkdir (the latter is written exactly the same in Linux) but we will use the New-Item command:

New-Item “path/name” -type directory

New-item Command.

“path/name” of the directory; quotation marks are required when interspersed.

Parameter -type and then what we have installed as provider: File, Directory, SymbolicLink, Junction or HardLink

Now let’s talk about providers: we can download the providers we need or we can create our own providers and associate them to the command. My imagination flies: we develop a program that acts as an FTP client and we offer it as a provider so we can sell it to anyone to integrate it into their PowerShell… but wait, there is more. If we do this in turn -if our license allows it- our client can add our FTP program as a library to their own projects. What do you think?

Note: PowerShell is also able to work via API and even security analysts have created their own PowerShell environments, some mixed with Python language… who don’t even need Microsoft executable files!

Pandora FMS and monitoring tasks

Pandora FMS flexibility allows us to use PowerShell to quickly access complex commands. For example, in Windows environment we need to know which patches are installed:

Get-CimInstance -ClassName Win32_QuickFixEngineering -ComputerName

We will be able to visualize the components with the Get-Member command, extract the contents and make our complement in Pandora FMS for PowerShell!

What’s new in Pandora FMS latest release, Pandora FMS 755

Let’s check out together the features and improvements related to this new Pandora FMS release: Pandora FMS 756.

NEW FEATURES AND IMPROVEMENTS

Added new widget: Odometer for visual consoles

A new odometer widget has been added. It will have two types of operations, one if it is a percentage value and the other if it is an absolute value, where its maximum and minimum values will be taken as reference for its calculation.

New automatic adjustment option in visual consoles

A new option has been added so that when you add a visual console in full screen mode, its width automatically adjusts.

Mass operations on Service elements

The ability to mass create/edit/delete items has been added in Services in both Nodes and Metaconsole.

Inside the Metaconsole, the following have been added:

• Wizard within services to be able to add/edit/delete several service elements at once.
• Service list option for mass creating and deleting services.

Within Nodes, service mass creation and deletion has been implemented from mass operations, as well as the ability to add/edit/delete several service elements at once.

Metaconsole centralized mode: Command Center

In this version, we introduce a new Metaconsole component, the Command Center, which allows working in a unified way in nodes, in a much more agile and fail-safe way. Any changes to the system configuration will be propagated to the nodes automatically.

New Alert server

A new server has been added to Pandora FMS. The alert server will be in charge of processing and sending all the alerts, thus being able to free threads from the rest of the servers so as not to overload data processing while the alerts are launched in environments with many alerts. This server is optional and if it is not activated, the alerts continue to work as before.

Official comparison: N-Able vs Kaseya vs Pandora FMS

Lemons, oranges, grapefruits, limes… We know that they are not the same, but if necessary, you can make juice with all of them. And yes, we can and we will. We are in summer and it makes you want to make a good cocktail, doesn’t it? Today, in PFMS blog, we are going to analyze the commonalities of N-Able (Solarwinds MSP), Kaseya and Pandora FMS. Also their -remarkable- differences of course.

Both Kaseya and N-Able stand out for being RMM solutions and integral IT management systems in SaaS mode for MSP. In short, they are a very good solution for managing remote workstations and being able to manage and monitor them remotely. This includes tasks such as patch installation, remote software installation, network equipment configuration, remote desktop access, backups, and of course, receiving alerts when something goes wrong on managed machines.

Kaseya’s client is usually an MSP that provides services to different users, so it needs a tool that with a single license can serve different clients, managing them in an isolated, but centralized and homogeneous manner. This saves costs and is more efficient, since both Kaseya and N-Able are specific tools for Windows desktops that need to be managed remotely.

Pandora FMS client is usually an end company, or an MSP specialized in managing more complex infrastructures, which requires a tool with a more technical profile, which allows its technicians to apply their existing knowledge, scripts, etc. integrating them to compose an effective monitoring that allows them to go where other tools cannot. They are more oriented towards base infrastructure (communications, servers and applications) than to desktop computers.

In this comparison, we will also talk about prices, and both Kaseya and N-Able are above 20K USD in projects of 250 teams, yes, they are expensive tools and they also have a complex and peculiar pricing model, so much so that you will not be able to find these prices clearly on their respective websites.

A very important difference is that both Kaseya and N-Able are usually used in a cloud model (SaaS) (although they also have on-premise licensing), while Pandora FMS is a much more conservative model and is totally on-premise. This is especially relevant regarding the impact on security, since as the last hack to the Kaseya infrastructure showed us, attacking the manufacturer may imply that they can reach the end customer. As we teased long ago, Solarwinds is also not spared from this plague of security problems, and has suffered, since the first attack in 2020, several more attacks.

Given that Pandora FMS is a 100% autonomous installation (it can be installed in an environment without Internet access), and that Pandora FMS agents are not accessible from the outside nor can they be updated remotely, it is, by design, somewhat safer than Kaseya and Solarwinds. However, no one is spared, and Pandora FMS during 2020 and 2021 has published several security patches, as it can be seen in the CVE registry of Mitre.org.

As a summary, we have created a table that describes features. Below there are some additional explanations.

N-Able vs Kaseya vs Pandora FMS

Prices

Others don’t talk about prices, we do. And we do it because it is something that everyone wants and needs to see. We know that it is very difficult to compare them because no product is licensed the same and they do not even share the same concepts. What we do is propose a more or less understandable and standard project to be able to compare the costs in three years. Let’s say, for example, that you want to monitor about 250 computers distributed among virtualized servers (30), workstations (200), physical network equipment and physical servers. Making a total of 250 teams. Well, the cost of a THREE-year project, without professional services and with standard support, would be the following:

• Kaseya: 30,000 USD
•  N-Able: 50,000 USD
•  Pandora FMS: 15,000 USD

Conclusions

Both N-Able and Kaseya are products that excel in desktop management capabilities: patch management, software installation, and configuration change management. They provide added value such as monitoring, backup, security policy management and remote control. To all of this, they offer a layer of additional services such as ticketing and a portal for MSPs to offer their clients an integrated management and billing platform (the latter only in the case of N-Able).

They are very oriented to job monitoring. Monitoring, although it covers many aspects, is not the main focus of the product, especially if we consider some advanced features such as:

• Distributed transaction monitoring (web applications).
•  Monitoring Linux environments.
•  Service-oriented monitoring (defining of service trees).
•  High capacity (more than 10,000 devices).
•  Advanced monitoring of enterprise technologies (Oracle, SAP, VMware …).
•  Detailed monitoring of cloud environments (AWS, Azure).

In general, both N-Able and Kaseya have monitors for all kinds of applications, but only from a very superficial and remote point of view. That is, they are limited and not easily extensible.

If we add the high costs to this, Kaseya and N-Able do not seem like a good option for server monitoring projects or core infrastructure. For that, Solarwinds has a more traditional on-premise solution, although with costs of a similar order of magnitude, while Kaseya can only offer its product in an on-premise model.

What happened to Kaseya? How can we avoid it?

Imagine being offered an electronic lock for your front door. One that allows you to open the door through a mobile application in the cloud, would you accept it?

They promised that they would never lose the key, that with the app your would be able to open the door remotely and even through a webcam in the peephole, the device will be able to recognize your face and welcome you.

Well, that would be making things even easier, thieves no longer would have to go door by door, breaking locks. A good thief would be enough to break the security of the company that manages the application in the cloud and resell the master key to the highest bidder on the deepweb, this includes criminal groups around the world. Days later, if not the same evening, specialized thieves will enter the houses of the selected clients, because, of course, in addition to the master key, they will have a list of clients with attributes, names and addresses. The cloud company will have to choose between crying, denying everything and declaring bankruptcy. The president of the company (CEO) will probably be the first to sell his shares in a hurry.

Weeks after the thieves almost run out of addresses on their lists, thanks to the webcam and access logs, because through those they will know that there is no one at home, the owners will arrive at their homes and when they arrive, they will not know what happened, among other things because there will not even be, a forced door.

Please don’t laugh, does it look like the script from an upcoming Netflix production? You should know that what I tell you has already happened before, including the CEO selling shares in a hurry.

It may seem like a step back, but making the decision to go back to old-fashioned IT management can be the difference between life and death for a business. Cost reduction, service outsourcing and the culture of “everything in the cloud” leads us inexorably to this phenomenon.

It happened. It’s happening. It is ransomware. It is about encrypting all the information and then blackmailing for its recovery, its decryption.

They enter your house, they take everything and if you want to see it again, you will have to pay a ransom. The information is still there, encrypted, inaccessible. Nothing works and what is worse, if you try something or you don’t pay on time, they will erase everything forever.

This time those affected are not governments or large companies. They are greengrocers, nursery schools, restaurants, dentists… hundreds of small and medium-sized businesses have had to close due to their computer systems being blocked. Again, a ransomware attack that encrypts and locks all the hard drives on your computers. Tomorrow it could be your business… or your own personal mobile. It is connected to the cloud, right?

All the victims had one thing in common: the remote access and patch management software they used at their companies. This software, Kaseya, is sold to managed service providers – outsourced IT departments – which they use then to manage their customers’ networks, usually small businesses. That software, of course, works in the cloud.

The cost of the ransom is not the most important thing, although the figures are not small (we speak of 70 million dollars for Kaseya, an average of 300 thousand USD to each individual affected).

Could it happen tomorrow again?

Absolutely, YES.

The problem is no longer the software itself. It’s not that Kaseya is a bad software or it is poorly made. Probably its level of engineering has nothing to envy to the giants of the industry like Microsoft. Everything can be improved, but that is not the issue.

As it happened with Solarwinds, a security problem led to hackers taking their malicious software inside the client, using the attacked software’s own update system to spread. Like a virus that replicates inside its victim and spreads to relatives, once inside a house, sheltered from heating and blankets. Once the attack perpetrated this way, the company in turn had problems sending the patches to its customers, that is, the patient could not get the medicine that would cure him. For some customers who never responded electronically, they had to call them to tell them the software update procedure.

The problem with Kaseya is that we are not talking about software for large companies, which requires qualified personnel for its operation, but rather a software used to provide services to small companies without technical personnel, or very few, and that cannot manage such an attack.

While Solarwinds is used by government organizations, banks, and companies on the top 500 Standards & Poors (an American financial services rating agency) list, Kaseya is used by small and medium-sized businesses around the world, and the security problem is much more massive and its impact can be even more devastating.

If the attack is directed at a company, and it is successful, it allows taking control of that company. If one service provider is attacked and the attack succeeds, all their customers’ systems can be accessed. That is why the attack on Kaseya is so serious, because Kaseya has tens of thousands of customers around the world due to its SaaS (Software as a Service) model.

Although Kaseya is a US company, affected companies have already been reported throughout Europe, the Middle East, Asia, and South America.

The attack was so successful that companies like Elliptic, which analyze cryptocurrency networks to analyze unusual traffic, are scared by the number of victims who are proceeding to pay ransoms. No doubt, if the attack was a success and made lots of profit, there will be many more.

Can it be helped?

Well, imagine that you’re invited to a barbecue in a garden. Everything is beautiful, it looks like a villa in Italian Tuscany. The temperature is perfect and the aroma of the food is delicious. The wine, the company, everything is fantastic.

There is only one problem, mosquitoes are going to devour you. When you go back home, you will not be able to sleep, you will end up full of bites and will wonder how it is possible.

Something similar happens with Kaseya and Solarwinds. They are fantastic, but, do you see yourself all your life assuming the inconvenience of eating in the countryside? It is not about putting on pants or applying insect repellent. There are wasps, ants, all kinds of bugs in the countryside, attracted by people and the smell of food.

A party in your home kitchen may be less glamorous, but if you just want to eat well and not watch out for mosquito bites, you know the smart thing to do. It will be more inconvenient, even more expensive, but it controls the environment.

The same goes for applications based on the cloud or based on the SaaS model. They have many advantages, but security is not one of them, because you delegate it to organizations that you do not know.

If you rely on IT for your business continuity, you may need to step back and go back to more conservative models. After all, trends go by and the world keeps on running.

References:

https://www.wsj.com/articles/kaseya-hack-ripples-across-europe-as-ransomware-boom-escalates-11625823001

https://techcrunch.com/2021/07/05/kaseya-hack-flood-ransomware/

https://pandorafms.com/blog/es/monitorizacion-y-seguridad/

https://csirt.divd.nl/2021/07/04/Kaseya-Case-Update-2/