What is port scanning?

What ports are

Every network-connected device uses ports to route incoming and outgoing traffic to the correct application. Ports are numbered 0–65535 for both TCP and UDP, giving over 65,000 possible communication channels per protocol on any single host. The well-known ports (0–1023) are reserved for standard services: port 80 for HTTP, 443 for HTTPS, 22 for SSH, 3389 for RDP, 25 for SMTP, and 3306 for MySQL, among many others.

An open port is a listening service — a door that accepts incoming connections. The set of open ports on a host is its attack surface. Every open port is a potential entry point that an attacker can probe for vulnerabilities, weak credentials, or outdated software with known CVEs.

Unexpected open ports are particularly significant. A server that should only be running a web application has no legitimate reason to have port 3389 (RDP) open to the internet. When defenders find that, it indicates either a misconfiguration or a compromise — an attacker may have installed a backdoor or remote access tool and exposed it on a non-standard port to maintain persistence.

How port scanning works

A port scanner sends packets to target ports and analyses the responses to determine the port's state. Each scan technique makes a different trade-off between speed, stealth, and reliability:

• TCP Connect Scan: Completes the full three-way handshake (SYN → SYN-ACK → ACK) to confirm the port is open, then immediately closes the connection. The most reliable method, but easily logged by the target because a completed connection is always recorded in application and firewall logs.
• SYN Scan (Half-open): Sends a SYN packet and waits. If the target replies with SYN-ACK, the port is open. The scanner immediately sends a RST to abort the connection before it completes — the handshake never finishes, so many logging systems never record a full connection. This is the most common scan type.
• UDP Scan: Sends UDP packets to each port. If the port is open, often no response comes back (UDP is connectionless). If closed, the target sends an ICMP "port unreachable" message. UDP scanning is slower and less reliable than TCP but necessary to discover services like DNS (53), SNMP (161), and DHCP (67/68).
• NULL, FIN, and Xmas Scans: Send TCP packets with unusual flag combinations. Designed to evade older stateless firewalls that only filter based on SYN packets. Less effective against modern stateful firewalls but still used in specific evasion scenarios.

Nmap essentials

Nmap (Network Mapper) is the industry-standard tool for port scanning and network discovery. It is open-source, included in Kali Linux and most penetration testing distributions, and used daily by security professionals for everything from quick audits to comprehensive reconnaissance. Every CEH v13 student uses Nmap extensively in the scanning and enumeration modules.

The most useful Nmap commands for understanding what a target is running:

• nmap -sV [target] — Service version detection. Probes open ports to identify the exact application and version. A single scan can reveal "Apache 2.4.29" or "OpenSSH 7.4" — information that maps directly to CVE databases.
• nmap -O [target] — OS fingerprinting. Analyses TCP/IP stack characteristics to identify the operating system. Useful for narrowing down exploit selection.
• nmap -p- [target] — Scan all 65,535 ports. Default Nmap scans only the top 1,000 most common ports. Attackers and thorough auditors scan every port to find services running on non-standard ports.
• nmap -sS [target] — SYN scan (half-open, stealth). Requires root/administrator privileges.
• nmap -sU [target] — UDP scan. Slow but necessary to find UDP services.

Nmap output categorises each port as open (a service is listening), closed (the host responds but nothing is listening), or filtered (a firewall is blocking responses — the port's state is unknown). Filtered ports are particularly interesting because they indicate something is blocking access — potentially protecting a service that would otherwise be open.

What scan results reveal

An open port alone is not an exploit — it is a lead. The value of a port scan comes from what you do with the results. Service version detection is the critical next step: once you know that port 8080 is running Tomcat 7.0.23, you can search the CVE database for every known vulnerability in that version and determine which are remotely exploitable without authentication.

Unexpected or unusual open ports are red flags in both directions. During a penetration test, a non-standard port running an unfamiliar service often points toward a poorly hardened system or legacy software. During an incident investigation, a new listening port that wasn't there last week may indicate malware, a backdoor, or an attacker maintaining persistence.

OS fingerprinting narrows the exploit selection process significantly. An attacker who knows a server is running Windows Server 2012 R2 can immediately focus on exploits applicable to that specific OS version rather than testing blindly.

How defenders detect scanning

Port scanning leaves traces. Defenders can detect and respond to scanning activity through several mechanisms:

• Firewall and router logs: Sequential probes across many ports from a single source IP are a clear scanning signature. A host that attempts to connect to ports 1, 2, 3, 4... in rapid sequence is obviously running a scanner.
• IDS signatures: All major IDS/IPS platforms ship with signatures specifically for Nmap and other common scanners. SYN floods, unusual flag combinations, and high-rate connection attempts all trigger alerts.
• Honeypots: Fake services that exist solely to detect probing. Any connection to a honeypot port is by definition suspicious — there is no legitimate reason to connect to a service that isn't advertised.
• Rate limiting: Firewalls configured to rate-limit inbound connection attempts from a single source will slow down or block scanners. This doesn't prevent scanning but significantly increases the time required.