From 2b78f7257e73c9e865bccceb4ff08ad5bb64f9df Mon Sep 17 00:00:00 2001
From: tomsellers <tomsellers@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Sat, 9 Apr 2016 22:47:38 +0000
Subject: [PATCH] Version detection cleanup of references to Win2003 that
 actually matched newer versions of windows.  Also, adjust/ remove 'domain'
 matchlines that only varied on the 3rd byte. This byte contains the response
 error code which varies depending on the server and query state, not the OS.

---
 nmap-service-probes | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/nmap-service-probes b/nmap-service-probes
index e11d76289..79100bcf1 100644
--- a/nmap-service-probes
+++ b/nmap-service-probes
@@ -11538,13 +11538,10 @@ Probe UDP NBTStat q|\x80\xf0\0\x10\0\x01\0\0\0\0\0\0\x20\x43\x4bAAAAAAAAAAAAAAAA
 rarity 4
 ports 137
 
-# Windows Server 2003
-match domain m|^\x80\xf0\x80\x80\0\x01\0\0....\x20CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0!\0\x01|s p/Microsoft DNS/ o/Windows/ cpe:/a:microsoft:dns/ cpe:/o:microsoft:windows_server_2003/
-# Windows Server 2003
-match domain m|^\x80\xf0\x80\x82\0\x01\0\0....\x20CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0!\0\x01|s p/Microsoft DNS/ o/Windows/ cpe:/a:microsoft:dns/ cpe:/o:microsoft:windows_server_2003/
-# Windows Server 2012 Release Candidate Datacenter running DNS 6.2.8400.0.
-# Also PowerDNS 2.9.21-4.el5.centos, but we'll match that in DNSVersionBindReq
-match domain m|^\x80\xf0\x80\x02\0\x01\0\0....\x20CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0!\0\x01|s p/Microsoft DNS/ v/6.2/ o/Windows/ cpe:/a:microsoft:dns:6.2/ cpe:/o:microsoft:windows_server_2012/
+# Windows Server DNS - first two bytes are transaction ID, second two are flags, most variation is in the second part of the flag (3rd byte from start) which indicates if there is 
+# an error.  This value isn't OS specific and depends on the state of the server.  See Response Code here: 
+# http://www.tcpipguide.com/free/t_DNSMessageHeaderandQuestionSectionFormat.htm Windows Server 2003
+match domain m|^\x80\xf0\x80.\0\x01\0\0....\x20CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0!\0\x01|s p/Microsoft DNS/ o/Windows/ cpe:/a:microsoft:dns/ cpe:/o:microsoft:windows_server/
 
 match domain m|^\x80\xf0\x81\x83\0\x01\0\0\0\0\0\0 ckaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\0\0!\0\x01| p/Mikrotik DNS/ d/router/