My test setup is this:
2 VMs - Windows 2000 SP4 and BT5
Using Nmap version 5.59BETA1 with BT5
nmap -sS -A -T4 <target>
Result:
Code:
root@bt:~# nmap -sS -A -T4 192.168.203.140
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-10-17 12:55 PDT
Nmap scan report for 192.168.203.140
Host is up (0.00041s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
135/tcp open mstask Microsoft mstask (task server - c:\winnt\system32\Mstask.exe)
139/tcp open netbios-ssn
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
1025/tcp open msrpc Microsoft Windows RPC
MAC Address: 00:0C:29:AB:3F:47 (VMware)
Device type: general purpose
Running: Microsoft Windows 2000|XP
OS details: Microsoft Windows 2000 SP0/SP1/SP2 or Windows XP SP0/SP1, Microsoft Windows XP SP1
Network Distance: 1 hop
Service Info: OS: Windows
Host script results:
|_nbstat: NetBIOS name: TEST-9VB1J0F9GS, NetBIOS user: ADMINISTRATOR, NetBIOS MAC: 00:0c:29:ab:3f:47 (VMware)
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| smb-os-discovery:
| OS: Windows 2000 (Windows 2000 LAN Manager)
| Name: WORKGROUP\TEST-9VB1J0F9GS
|_ System time: 2011-10-17 12:55:13 UTC-7
TRACEROUTE
HOP RTT ADDRESS
1 0.41 ms 192.168.203.140
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.87 seconds
I tried turning on some debug with -d and -dd but does seem to reveal the proper fingerprint to determine SP4 is running