Windows 2000 machines can reliably be identified remotely because they do not correctly respond to ICMP query messages with a nonstandard Type-of-Service value.
You can download it from the following link: https://packetstormsecurity.com/files/download/22847/windows2000.fingerprint.txt
Source: https://packetstormsecurity.com/files/22847/windows2000.fingerprint.txt.html