Created by Will Huang (@In0de_16)


The command shows a list of user sessions including the user name, terminal used, host name, start and stop times, and duration. It also indicates if a session is still active or was terminated unexpectedly.

2023-04-27Discoveryoneliner account network


  • /usr/bin/last

Use Cases

Enumerate the users who are currently logged into the system.

The following command will display sessions that are currently active.

last | grep "still logged in"

Enumerate all user accounts that have logged into the system previously.

The last command can be used to output users who have previously logged in, by specifying the tty interface ‘console’.

last -t console

Enumerate all hosts that have remotely logged into the system before.

An attacker can use ’last’ with a filter to retrieve the connection date and remote host information for remote logins.

last | grep -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+'