Skip to main content

Port Scanning Explained: How Hackers Find Locked Doors in Your Network

Imagine sitting inside your home late at night and hearing a faint click-click-click sound coming from the street, as someone walks from house to house, gently turning every single doorknob to see which one is unlocked.

In the digital world, this systematic searching is known as port scanning. It is the essential reconnaissance phase that network attackers perform before launching any exploit, but it is also one of the most powerful diagnostic tools in a system administrator’s arsenal. Every device connected to the internet has tens of thousands of virtual doorways. Understanding how these doorways are probed is key to keeping your digital home secure.

To understand how port scanning works, we first have to look at how computers talk to each other across the web.

What is a Port? Real-World Metaphors

When you connect a device to the internet, it gets assigned an IP address, which behaves like the street address of a massive office building. But when a courier (a data packet) arrives at that building, they need to know which specific office or department to deliver the package to.

This is where ports come in.

As defined in the early blueprints of the internet, specifically RFC 793 published in September 1981, every single IP address has exactly 65,535 virtual ports available for transport protocols like TCP. These ports are organized into distinct logical zones:

  • Well-Known Ports (0 to 1023): Reserved for universal services. For instance, web traffic (HTTP) uses port 80, secure web traffic (HTTPS) uses port 443, and secure command-line access (SSH) uses port 22.
  • Registered Ports (1024 to 49151): Used by specific software applications. Database services like MySQL, for example, listen on port 3306 by default.
  • Dynamic or Private Ports (49152 to 65535): Temporarily assigned by your operating system when your device initiates an outbound connection, acting as a return path.

A port scan involves sending a series of experimental network packets to these numbers on a target IP address to see how the system reacts.

The Mechanics of a Scan: The Silent Knock

Most modern port scanning relies on the fundamental mechanics of the TCP/IP protocol suite. To establish a normal connection, two computers must perform a process called the three-way handshake.

When conducting a port scan, however, an attacker often intentionally interrupts this handshake to gather information without establishing a full connection. The most popular method is the TCP SYN Scan, often referred to as a “half-open” or “stealth” scan.

TargetScannerTargetScannerSend TCP SYN (Knock, knock)Return TCP SYN-ACK (Port is Open!)Send TCP RST (Nevermind!)

As illustrated above, the scanning tool sends a TCP SYN (Synchronize) packet to a specific port on the target machine. If the port is open and listening, the target responds with a TCP SYN-ACK (Synchronize-Acknowledge) packet. At this moment, the scanner has the information it needs. Instead of responding with an ACK packet to complete the handshake, the scanner sends a TCP RST (Reset) packet to close the interaction immediately.

If the port is closed, the target machine bypasses the middle steps and immediately sends back a TCP RST packet, indicating that no service is listening.

What Attackers Learn from Open Ports

An open port does not just tell an attacker that a service exists. It often acts as a blueprint for the entire system behind it.

On September 1, 1997, a security researcher named Gordon Lyon (writing under the pseudonym Fyodor) published a tool called Nmap in issue 51 of Phrack Magazine. It remains the industry standard for network discovery. With modern scanning utilities, attackers do not just look for open ports; they perform “service version detection” and “OS fingerprinting.”

If an attacker scans your system and finds port 22 open, they will send a crafted query to trigger a response. The return banner might read: SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5.

With that single line, the attacker now knows:

  • You are running Linux (specifically Ubuntu).
  • Your exact OpenSSH version is 8.2p1.
  • They can cross-reference this version with public CVE (Common Vulnerabilities and Exposures) databases to find pre-written exploit scripts.

If that specific version of OpenSSH has an unpatched vulnerability, the attacker has just found their way into your network.

Checking Your Own Exposure

You do not need to be a professional cybersecurity analyst to check which of your windows are open. Regular self-auditing is a highly effective way to stay ahead of automated threat actors.

1. External Web-Based Scans

To check what your home router looks like to the outside world, you can use trusted web-based tools like Gibson Research Corporation’s ShieldsUP! service. This tool scans the most commonly targeted ports on your public IP from an external server and tells you whether they are visible, closed, or securely hidden in “stealth” mode.

2. Internal Auditing with Nmap

For a deeper look at the devices inside your local network, such as smart home gear, network storage drives, or printers, you can install Nmap on your machine. Running a basic scan from your terminal is straightforward: