Port Scanning: What It Is and When It's Legal

A port scan sends probes to a target IP address, checking which TCP and UDP ports are open and accepting connections. It's how network admins audit their own infrastructure, how security researchers map attack surfaces, and how attackers case targets before breaking in. The tool is identical. The permission is what changes everything.

How Port Scanning Works

Every service running on a server listens on a port — a number from 0 to 65535. HTTP listens on 80, HTTPS on 443, SSH on 22 (unless the admin changed it), MySQL on 3306. A port scanner sends a connection request to each port and interprets the response. An open port responds with a SYN-ACK. A closed port responds with RST. A filtered port — behind a firewall — returns nothing.

The SYN scan (also called a half-open scan) is the most common technique. It sends a SYN packet and waits for SYN-ACK, but never completes the handshake — it sends RST to tear the connection down. This is faster than full TCP connects and generates less noise in application logs, because no actual connection is established.

What Open Ports Actually Tell an Attacker

An open port is a potential entry point. An attacker who finds port 22 open knows SSH is running — they can try credential brute-forcing or exploit known SSH vulnerabilities. Port 3389 open means Remote Desktop Protocol — a favourite target for ransomware operators. An exposed port 27017 means MongoDB, which has been found open without authentication on thousands of servers.

Banner grabbing goes further — connecting to an open port and reading the service's response often reveals the software name and version. A server running Apache 2.4.49 in October 2021 had a critical path traversal vulnerability. Anyone who scanned, found the banner, and recognised the version had everything they needed.

The Legal Question

Scanning your own systems is fine. Scanning systems you're explicitly authorised to test — penetration testing engagements with written scope documents — is fine. Scanning systems you don't own without permission is legally murky at best and clearly illegal in many jurisdictions. The US Computer Fraud and Abuse Act is broad enough that unauthorised port scanning could fall under it. Germany's Hacker Paragraph is similarly expansive.

Actually, scratch that — 'murky' undersells it. A few court cases have gone against people for port scanning alone. Most haven't been prosecuted. But intent and context matter enormously. Scanning a competitor's servers is different from scanning your own cloud environment.