Having read a few articles about the restricted-admin mode on RDP I decided to give this ago to make sure I had all the tools in order to use this attack.
I installed a machine with windows server 2012 R2 edition and enabled RDP.
Then I dumped the hashes from the box as shown here is metasploit using the smart_hashdump module.
Once I had got the hashes I installed xfreerdp which by default comes with the PassTheHash (PTH)option. This is the correct syntax for doing this:
And voila, we have an RDP session by using the hash not the users password. Brilliant!!!!
Thanks all, hope you find this useful 😉