Building a Collaborative Attack Platform with Amazon EC2 – Part 1b: CobaltStrike

 Part 1b – Prepare the CobalStrike Teamserver

Hello all,

today we’re going to install CobaltStrike Teamserver on our previously installed EC2 Kali machine, after this step, all our team members can connect to it and we can share all compromised machines, remember, as already mentioned in the previous article, in real world operation, normally we have several teamserver machines.

For the installation of CobaltStrike Team Server on EC2 linux machine we can start watching the good video of Raphael Mudge @armitagehacker

 At this point I can stop writing my article… 🙂

Raphael’s clip is still very good,but it’s based on an old version of CobaltStrike, so (I’m sorry for you) you’ll have to keep reading my article…

The first step is to get the link to download the tar file, for do this we can go at the URL :

Then click on Accept and after on Linux(.tgz), now if you right click on “Download COBALT STRIKE now!” and choose Copy link address (something like, At this point we are ready to download the installer on our EC2 machine without GUI.

Log on to your kali machine with your favorite ssh client,

Prior to download the file,I usually prefer to create a folder where I put all my installers,then let’s try to install CobaltStrike in a linux shell :

sudo /bin/bash
mkdir /CobaltStrike
mkdir /CobaltStrike/Install
cd /CobaltStrike/Install
wget (paste the URL here with shift+ins)
tar zxvf cobaltstrike-trial.tgz
mv cobaltstrike ../
cd ../cobaltstrike


Now you must verify if the java version is the correct one:

java -version 
javac -version

If so, you can start the teamserver now, otherwise you must upgrade java, depending on the type of virtual machine that you have installed (I talk about recent kali linux  machine, but your machine can be different) you can upgrade java in different ways, you can watch this interesting article :

these are the recommended commands for debian:

su -
echo "deb xenial main" | tee /etc/apt/sources.list.d/webupd8team-java.list
echo "deb-src xenial main" | tee -a /etc/apt/sources.list.d/webupd8team-java.list
apt-key adv --keyserver hkp:// --recv-keys EEA14886
apt-get update
apt-get install oracle-java8-installer

if you want to set Oracle Java 8 as default:

 sudo apt-get install oracle-java8-set-default

another way to install java can be:

sudo update-java-alternatives -s java-8-oracle

Remember : It’s not recommended to use OpenJDK in combination with Cobalt Strike on Kali Linux Rolling.

Now we just have to start the teamserver:

./teamserver XX.XX.XX.XX somepassword
where XX.XX.XX.XX is the IP address of your EC2 instance (external IP, do not use ifconfig)
and somepassword is the password that the team will use to join the teamserver

Now we can connect to this teamserver with the cobaltstrike client.

If you don’t have, no problem, now I will tell you how to do:

For client installation, you simply need to extract the same file downloaded for the teamserver and run ./cobaltstrike

You can fill the field with your IP, port, your username and the password used for starting the teamserver

For demo purpose we can use a trial license, but this license is not enought per the real world, because, as Raphael says : The Cobalt Strike 3.0 trial is the full Cobalt Strike product with one [significant] difference. The Cobalt Strike 3.0 trial inserts several “tells” to get caught by standard security products. This change is made possible by Cobalt Strike’s flexibility to change its indicators and artifacts.

If you have a valid commercial license you can just run the ./update command in your teamserver and put your code onto the consolle.

It is not recommended to install a mixed client/server environment with a trial and commercial license,so, go ahead with only one.

Tips : if you want the session persists after closing the ssh terminal , you must use the “screen” command prior to start the teamserver.


For more info :

The full CobaltStrike manual is at

For now is all.

Happy hacking and stay tuned


If you missed the first part:…mazon-ec2-part-1/

The video

Building a Collaborative Attack Platform with Amazon EC2 – Part 1a: CobaltStrike

   Part 1a – Prepare the PenTest Machine

For real Red Team Operation we need a complex cloud Infrastructure, in real world the Teamserver machine can have various roles or tier, but this is beyond the scope of this article, for more information you can watch the video of Raphael Mudge @armitagehacker at

In this three videos we’ll try to build a simple EC2 machine with installed Armitage Teamserver and CobaltStrike teamserver which we will use as needed.

Let’s start

  • In real world scenario the Red Team use a business contract and various machines with meticulous capacity analysis for CPU, RAM, HD and network bandwidth, for demo purpose, we’ll use only one Micro Tier machine eligible for free usage tier.

In real world scenarios the EC2 platform is a very clever choice for its scalability, for its bandwidth, because is on-demand and with reasonable costs.  We must also consider that the real attackers will use a solution like this, so if we want to emulate the behavior of an attacker we will, in our turn, use cloud platforms. Even the functionality of teamserver usable thanks to the cloud from anywhere, are a convenience for the whole team.

The first step is to create an account on

This is not an article for script kiddies, we will use one of our real e-mail address and our real credit card number. (If you already have, you can use your Amazon Ec2 account)

We can choose from any VM linux, but for our job I would choose a Kali VM .

After create the new account (or after log in with your existing account) click on AWS services and click on EC2

Now choose instances and Launch instance

If you want to create a Kali Machine, you can’t choose quick start, you must choose AWS Marketplace

and write “kali” in the search field.

Click on select

Now we can choose the machine type, if you want to take advantage of a free tier machine, you must select t2.micro machine, choose the machine and then click Review and Launch, now we can create a new security group, and ssh is the default opened port, but for red teaming operation we need more ports to be opened, if you’d like,you could open all ports (All traffic – all protocol – all port range – all source, not reccomended in production environment ) or only few ports (for example http80, https443, dns53 and TCP 55553 for Armitage Deconfliction Server), for demo purpose we open “any-any-any-permit”

now click on Review and Launch (and the launch, if necessary), at this point,if you already have a key pair,you can just use it,otherwise you can create a new one (it’s very important to save and backup your key pair, if you loose the key, you can’t log on again on your instance)

flag the acknowledgement and then click launch  instance

if you click on the instance id you can view your instance list and you can manage y our instance

If you want you can get a new name for your instance or edit the zone where put your instance, for this demo, this details can’t be relevant.

Before installing CobaltStrike you can log on your kali machine with any ssh client, if you are using windows you can download putty.

If your ssh client use .ppk key, you need to convert the .pem certificate, you can follow the official AWS guide at

The hostname is something like that : where 00-00-00-00 is your real IP. Now you can update and upgrade you linux box with :

sudo apt-get update && sudo apt-get upgrade

For today is all.

watch part 1b – Prepare the CobalStrike teamserver

The video

Part 2 – Build Armitage Teamserver – coming soon