Resetting Hardware for Red Teamer

Reza RashidiReza Rashidi
11 min read

Table of contents

In the realm of Red Team operations, one advanced technique involves exploiting hardware reset functionalities to disrupt critical systems and gain unauthorized access. This approach capitalizes on the inherent vulnerability of various devices to factory reset methods, which can be leveraged to bypass security configurations, restore default settings, or trigger service disruptions. By performing multiple power cycles or initiating factory resets, Red Teamers can effectively nullify customized configurations, forcing a system to revert to its default state. This can expose default credentials, remove security measures, and cause operational interruptions, providing an avenue for further exploitation.

This method is particularly potent in high-stakes environments where security and operational continuity are paramount. It applies to a range of critical devices, including network firewalls, industrial control systems (ICS), and data center hardware. The ability to reset hardware using multiple power-off techniques is a strategic move that can undermine network defenses, disrupt industrial processes, and compromise data integrity. By understanding and employing these reset techniques, Red Teamers can simulate realistic attack scenarios that test the resilience of an organization's security posture and response mechanisms.

DeviceVendorModelIndustryInstructionsImpact
Cisco ASA FirewallCiscoASA 5505, ASA 5516-XEnterprise NetworksPower cycle 5 times, enter ROMMON mode, conf factory-default.Firewall rules, VPN, and user settings wiped out.
Siemens SIMATIC PLCSiemensS7-1200Industrial Control Systems (ICS)Power cycle 3 times, hold MRES button, release when STOP LED flashes.Control programs and configurations erased.
Palo Alto FirewallPalo Alto NetworksPA-220Enterprise NetworksPower cycle 5 times, boot into maintenance mode, select Factory Reset.All firewall rules and network settings wiped out.
Ubiquiti EdgeRouter XUbiquiti NetworksEdgeRouter XSMB and ISP NetworksPower cycle 3 times, hold reset button for 15 seconds.All configurations reset, default credentials enabled.
Schneider Modicon PLCSchneider ElectricM221Industrial Automation (ICS)Power cycle 3 times, hold reset button for 10 seconds.Automation processes disrupted, configurations erased.
Honeywell Experion ControllerHoneywellExperion PKSSCADA/ICS SystemsPower cycle 4 times, hold reset button for 30 seconds.SCADA configurations removed.
Hikvision NVRHikvisionDS-7600Surveillance SystemsPower cycle 3 times, hold reset button for 20 seconds.Enables default credentials for access.
APC Smart-UPSAPC by SchneiderSMT1500RM2UCritical Power ManagementPower cycle 5 times, hold reset button for 10 seconds.Removes custom power settings, affecting uptime.
GE RX3i ControllerGeneral ElectricRX3i PACSystems ControllerICS/SCADA SystemsPower cycle 3 times, hold reset button for 15 seconds.Automation control disrupted, configurations erased.
Cisco Catalyst SwitchCiscoCatalyst 2960Enterprise NetworksPower cycle 5 times, hold mode button for 10 seconds.VLAN, routing, and security configurations removed.
Rockwell CompactLogix PLCRockwell AutomationCompactLogix 1769-L16ERICS/Industrial AutomationPower cycle 3 times, hold reset button for 10 seconds.Ladder logic and configurations erased.
Juniper SwitchJuniper NetworksEX2200Enterprise NetworksPower cycle 3 times, hold reset button for 10 seconds.VLAN, port, and security settings cleared.
Siemens SIMATIC PLCSiemensS7-1500Industrial Control Systems (ICS)Power off and on 4 times, hold MRES button for 10 seconds.Configuration and programs erased, requires manual reprogramming.
Dell PowerEdge ServerDellPowerEdge R640Data CentersPower cycle 5 times, hold reset button for 15 seconds.Wipes all server configurations and storage data.
Aruba SwitchAruba Networks2930FEnterprise NetworksPower cycle 3 times, hold reset button for 20 seconds.Network settings removed, default access enabled.
Axis Network CameraAxis CommunicationsM3106-LVESurveillance SystemsPower cycle 4 times, hold reset button for 10 seconds.Default credentials re-enabled for camera control.
Fortinet FirewallFortinetFortiGate 30EEnterprise NetworksPower cycle 5 times, hold reset button for 20 seconds.Firewall rules wiped out, default credentials enabled.
Yokogawa DCS ControllerYokogawaCENTUM VP DCSProcess Automation/SCADAPower cycle 3 times, hold reset button for 15 seconds.Process control configurations lost.
Panasonic PBXPanasonicKX-NS700TelecommunicationsPower cycle 3 times, hold reset button for 10 seconds.Telephony settings erased, requires reconfiguration.
Mitsubishi Electric PLCMitsubishi ElectricMELSEC-Q SeriesIndustrial AutomationPower cycle 3 times, hold reset button for 20 seconds.Automation processes interrupted, forcing reprogramming.

1. Cisco ASA 5500 Series Firewall

  • Vendor: Cisco

  • Model: ASA 5505, ASA 5516-X

  • Industry: Enterprise Networks

  • Objective: Reset firewall to disrupt configurations and force use of default credentials.

  • Instructions:

    1. Power cycle the device 5 times rapidly (5 seconds between each cycle).

    2. After the fifth reboot, the device will enter ROMMON mode.

    3. Use the command conf factory-default to restore to factory defaults.

    4. Reboot, and access the device with default credentials (admin/admin).

  • Impact: Firewall rules, VPN, and user settings are wiped out.

Reference: Cisco ASA Configuration Guide.

2. Siemens SIMATIC S7-1200 PLC

  • Vendor: Siemens

  • Model: SIMATIC S7-1200

  • Industry: Industrial Control Systems (ICS)

  • Objective: Reset PLC controlling critical industrial processes.

  • Instructions:

    1. Power cycle the PLC 3 times (5 seconds between cycles).

    2. Press and hold the MRES button for 3-5 seconds until the STOP LED flashes.

    3. Release and press again for 10 seconds until the LED stays solid.

    4. The PLC will reset to factory defaults.

  • Impact: All control programs and configurations are erased, forcing reprogramming.

Reference: Siemens S7-1200 Manual.

3. Palo Alto Networks PA-220 Firewall

  • Vendor: Palo Alto Networks

  • Model: PA-220

  • Industry: Enterprise Networks

  • Objective: Reset firewall and use default credentials for access.

  • Instructions:

    1. Power cycle the firewall 5 times (5-10 seconds between cycles).

    2. The firewall will boot into maintenance mode.

    3. Select Factory Reset from the console.

    4. Reboot with default credentials (admin/admin).

  • Impact: All firewall rules and network settings are wiped out.

Reference: Palo Alto PA-220 Admin Guide.

4. Ubiquiti EdgeRouter X

  • Vendor: Ubiquiti Networks

  • Model: EdgeRouter X

  • Industry: SMB and ISP Networks

  • Objective: Reset router to factory defaults, removing all configurations.

  • Instructions:

    1. Power cycle the router 3 times.

    2. Press the reset button (pinhole) for 15 seconds.

    3. The router will reset and reboot to factory defaults.

  • Impact: Allows access via default credentials (ubnt/ubnt).

Reference: Ubiquiti EdgeRouter Manual.

5. Schneider Electric Modicon M221 PLC

  • Vendor: Schneider Electric

  • Model: Modicon M221

  • Industry: Industrial Automation (ICS)

  • Objective: Reset PLC managing automation systems.

  • Instructions:

    1. Power cycle the PLC 3 times.

    2. Hold the reset button on the module for 10 seconds.

    3. The system will reset, erasing all user configurations.

  • Impact: Automation processes are disrupted, forcing the user to reload settings.

Reference: Schneider Electric Modicon M221 Manual.

6. Honeywell Experion PKS Controller

  • Vendor: Honeywell

  • Model: Experion PKS

  • Industry: SCADA/ICS Systems

  • Objective: Reset SCADA control system to factory defaults.

  • Instructions:

    1. Power cycle the controller 4 times.

    2. After the fourth cycle, hold the reset button for 30 seconds.

    3. The system will reboot with default configurations.

  • Impact: All SCADA configurations are removed.

Reference: Honeywell Experion PKS Manual.

7. Hikvision DS-7600 NVR

  • Vendor: Hikvision

  • Model: DS-7600 Series

  • Industry: Surveillance Systems

  • Objective: Reset the NVR and gain access to default credentials.

  • Instructions:

    1. Power cycle the NVR 3 times (10 seconds between cycles).

    2. Press the reset button (pinhole) for 20 seconds.

    3. The system will reboot with default settings (admin/12345).

  • Impact: Complete access to the surveillance system.

Reference: Hikvision NVR Quick Start Guide.

8. APC Smart-UPS SMT1500RM2U

  • Vendor: APC by Schneider Electric

  • Model: SMT1500RM2U

  • Industry: Critical Power Management

  • Objective: Reset UPS to disrupt power configurations.

  • Instructions:

    1. Power cycle the UPS 5 times.

    2. Hold the reset button for 10 seconds to trigger a factory reset.

    3. Reboot and reconfigure from scratch.

  • Impact: Removes custom power settings, affecting uptime.

Reference: APC Smart-UPS User Manual.

9. GE RX3i Controller

  • Vendor: General Electric

  • Model: RX3i PACSystems Controller

  • Industry: ICS/SCADA Systems

  • Objective: Disrupt industrial control and force factory reset.

  • Instructions:

    1. Power cycle the device 3 times.

    2. Press and hold the reset button for 15 seconds.

    3. The system will reboot and erase all configuration.

  • Impact: Automation control is disrupted, and the factory reset erases programs.

Reference: GE RX3i Technical Documentation.

10. Cisco Catalyst 2960 Switch

  • Vendor: Cisco

  • Model: Catalyst 2960

  • Industry: Enterprise Networks

  • Objective: Reset switch configuration to default settings.

  • Instructions:

    1. Power cycle the switch 5 times.

    2. Hold the mode button for 10 seconds during the final boot.

    3. The switch will reset to factory defaults.

  • Impact: Removes all VLAN, routing, and security configurations.

Reference: Cisco Catalyst 2960 Reset Guide.

11. Rockwell Automation Allen-Bradley CompactLogix PLC

  • Vendor: Rockwell Automation

  • Model: CompactLogix 1769-L16ER

  • Industry: ICS/Industrial Automation

  • Objective: Reset PLC controlling industrial processes.

  • Instructions:

    1. Power cycle the PLC 3 times.

    2. Press and hold the reset button for 10 seconds.

    3. Reboot to factory settings.

  • Impact: All ladder logic and configurations are erased.

Reference: Rockwell CompactLogix Manual.

12. Juniper EX2200 Switch

  • Vendor: Juniper Networks

  • Model: EX2200

  • Industry: Enterprise Networks

  • Objective: Reset switch to factory defaults.

  • Instructions:

    1. Power cycle the switch 3 times.

    2. Press the reset button for 10 seconds.

    3. Reboot with factory defaults.

  • Impact: Clears all VLAN, port, and security settings.

Reference: Juniper EX2200 Manual.

13. Siemens SIMATIC S7-1500 PLC

  • Vendor: Siemens

  • Model: SIMATIC S7-1500

  • Industry: Industrial Control Systems (ICS)

  • Objective: Reset PLC to default configuration, disrupting industrial control systems.

  • Instructions:

    1. Power off the device and turn it back on 4 times.

    2. Hold the MRES button for 10 seconds to trigger a factory reset.

    3. Release the button and wait for a system reboot.

  • Impact: All configuration data and user programs are erased, forcing manual reprogramming.

Reference: Siemens SIMATIC S7-1500 Manual.

14. Dell PowerEdge R640 Server

  • Vendor: Dell

  • Model: PowerEdge R640

  • Industry: Data Centers

  • Objective: Factory reset to wipe server configuration.

  • Instructions:

    1. Power off the server, then turn it on and off 5 times.

    2. During the final boot, press the reset button for 15 seconds.

    3. The system will factory reset.

  • Impact: Wipes all configurations and storage data.

Reference: Dell PowerEdge Reset Guide.

15. Aruba Networks 2930F Switch

  • Vendor: Aruba Networks

  • Model: 2930F

  • Industry: Enterprise Networks

  • Objective: Reset switch to factory settings for default access.

  • Instructions:

    1. Power cycle 3 times.

    2. Hold the reset button for 20 seconds.

    3. The switch will reset to factory defaults.

  • Impact: Removes all network settings, enabling default access.

Reference: Aruba 2930F Manual.

16. Axis M3106-LVE Network Camera

  • Vendor: Axis Communications

  • Model: M3106-LVE

  • Industry: Surveillance Systems

  • Objective: Factory reset to gain access to video streams.

  • Instructions:

    1. Power cycle the camera 4 times.

    2. Press and hold the reset button for 10 seconds.

    3. The camera will reboot to factory settings (root/pass).

  • Impact: Enables default credentials, providing control over the camera.

Reference: Axis M3106-LVE User Manual.

17. Fortinet FortiGate 30E Firewall

  • Vendor: Fortinet

  • Model: FortiGate 30E

  • Industry: Enterprise Networks

  • Objective: Factory reset to disable firewall settings.

  • Instructions:

    1. Power off and on the firewall 5 times.

    2. Hold the reset button for 20 seconds.

    3. The firewall will reset and reboot with default credentials.

  • Impact: Firewall rules and configurations are wiped out.

Reference: Fortinet FortiGate 30E Manual.

18. Yokogawa CENTUM VP DCS Controller

  • Vendor: Yokogawa

  • Model: CENTUM VP DCS

  • Industry: Process Automation/SCADA

  • Objective: Factory reset to disrupt process control.

  • Instructions:

    1. Power cycle 3 times.

    2. Hold the reset button for 15 seconds.

    3. The controller will reset, erasing all configurations.

  • Impact: Critical process control configurations are lost.

Reference: Yokogawa CENTUM VP Technical Guide.

19. Panasonic KX-NS700 PBX

  • Vendor: Panasonic

  • Model: KX-NS700

  • Industry: Telecommunications

  • Objective: Factory reset to disrupt telecommunication operations.

  • Instructions:

    1. Power off the PBX and cycle power 3 times.

    2. Hold the reset button for 10 seconds to initiate factory reset.

    3. The system will reboot and require reconfiguration.

  • Impact: All telephony settings are erased.

Reference: Panasonic KX-NS700 Manual.

20. Mitsubishi Electric MELSEC-Q Series PLC

  • Vendor: Mitsubishi Electric

  • Model: MELSEC-Q Series

  • Industry: Industrial Automation

  • Objective: Reset PLC controlling automation processes.

  • Instructions:

    1. Power off and on the PLC 3 times.

    2. Press the reset button for 20 seconds.

    3. The PLC will reset to factory defaults, erasing all configurations.

  • Impact: Automation processes are interrupted, forcing reprogramming.

Reference: Mitsubishi Electric MELSEC-Q Series Manual.

Cover by supersozdatel

0
Subscribe to my newsletter

Read articles from Reza Rashidi directly inside your inbox. Subscribe to the newsletter, and don't miss out.

redteaminghardwareicsiot

Written by

Reza Rashidi
Reza Rashidi