gistfile1

[#soggies 15:39] <james> Last-Logon Attribute
[#soggies 15:40] <james> The last time the user logged on. This value is stored as a large integer that represents the number of 100 nanosecond i
ntervals since January 1, 1601 (UTC). A value of zero means that the last logon time is unknown.
[#soggies 15:40] <james> because they may have logged in on Jan 2, 1601...
[#soggies 15:47] <jamison> james: I have a script that does bigmath on that value.
[#soggies 15:47] <jamison> because that value is a bitch
[#soggies 15:49] <james> perl?
[#soggies 15:49] <jamison> of course
[#soggies 15:50] <james> gist?
[#soggies 15:50] <jamison> sure. one second
[#soggies 15:50] <james> cool. I was writing one... :)
[#soggies 15:50] <jamison> also, you want to be checking lastLogonTimestamp if you have a fully integrated W2K3 domain.
[#soggies 15:50] <james> yeah, I'm looking at the things that bit us.
[#soggies 15:50] <jamison> Because lastLogon is separate on every DC. lastLogonTimestamp is replicated between all DCs
[#soggies 15:50] <james> did you read above?
[#soggies 15:51] <jamison> http://gist.github.com/231309
[#soggies 15:51] <crunchy> http://tumble.wcyd.org/irclink/?10396
[#soggies 15:51] <james> jamison: how long does it take to pwn a DC with anon_bind+usernames==passwords+not_NTLMv2?
[#soggies 15:51] <jamison> the lastLogonTimestamp is the same value, just replicated.
[#soggies 15:51] <jamison> yeah, I read the above. funny stuff.
[#soggies 15:51] <james> thanks, yo.