Port Scanning: What It Is and When It's Legal
A port scan sends probes to a target IP address, checking which TCP and UDP ports are open and accepting connections. It's how network admins audit their own infrastructure, how security researchers map attack surfaces, and how attackers case targets before breaking in. The tool is identical. The permission is what changes everything.
How Port Scanning Works
Every service running on a server listens on a port — a number from 0 to 65535. HTTP listens on 80, HTTPS on 443, SSH on 22 (unless the admin changed it), MySQL on 3306. A port scanner sends a connection request to each port and interprets the response. An open port responds with a SYN-ACK. A closed port responds with RST. A filtered port — behind a firewall — returns nothing.
The SYN scan (also called a half-open scan) is the most common technique. It sends a SYN packet and waits for SYN-ACK, but never completes the handshake — it sends RST to tear the connection down. This is faster than full TCP connects and generates less noise in application logs, because no actual connection is established.
What Open Ports Actually Tell an Attacker
An open port is a potential entry point. An attacker who finds port 22 open knows SSH is running — they can try credential brute-forcing or exploit known SSH vulnerabilities. Port 3389 open means Remote Desktop Protocol — a favourite target for ransomware operators. An exposed port 27017 means MongoDB, which has been found open without authentication on thousands of servers.
Banner grabbing goes further — connecting to an open port and reading the service's response often reveals the software name and version. A server running Apache 2.4.49 in October 2021 had a critical path traversal vulnerability. Anyone who scanned, found the banner, and recognised the version had everything they needed.
The Legal Question
Scanning your own systems is fine. Scanning systems you're explicitly authorised to test — penetration testing engagements with written scope documents — is fine. Scanning systems you don't own without permission is legally murky at best and clearly illegal in many jurisdictions. The US Computer Fraud and Abuse Act is broad enough that unauthorised port scanning could fall under it. Germany's Hacker Paragraph is similarly expansive.
'Murky' probably undersells it. A few court cases have gone against people for port scanning alone. Most haven't been prosecuted. But intent and context matter enormously. Scanning a competitor's servers is different from scanning your own cloud environment.
Reading the Scan Results
When you see port 22 open, that's SSH — check that it's using key-based authentication, not passwords. Port 80 and 443 open on a web server is expected. Port 3389 open on a machine that shouldn't have Remote Desktop enabled is a problem. Port 445 open (Windows file sharing) directly on the internet is how EternalBlue worked — the NSA exploit behind WannaCry and NotPetya. That one port, exposed on a misconfigured Windows server, caused an estimated $10 billion in damage in 2017.
The 'filtered' state in nmap output means a firewall is silently dropping probes rather than responding with RST. That's better than 'open', but the service behind the filter still matters. Filtered ports where active, exploitable services are running are one failed firewall rule away from being open. Know what's there, even if it's currently blocked.
Scan Your Own Open Ports
See which ports are exposed on your IP address — run a legitimate scan on your own network.
Run Port ScanAbout Kunal Khatri
Kunal is a network security specialist and systems administrator with 8+ years of experience auditing secure connections and building network infrastructure.
Related Articles
TLS 1.3: What Changed and Why You Should Care
TLS 1.3 dropped a decade of accumulated cruft from its predecessor and came out faster, more secure, and harder to attack. Understanding what changed matters for anyone running web infrastructure.
Zero-Day Vulnerabilities: What They Are and Why They're Dangerous
A zero-day is a vulnerability that nobody knows about yet — except the people exploiting it. The timeline from discovery to patch is where real damage happens.
SSL Certificates Explained Without the Jargon
SSL certificates enable HTTPS and underpin trust on the web. The certificate system is more complex — and more fragile — than the padlock icon suggests.
What Is a Botnet and How Your Device Could Be Part of One
Botnets are networks of compromised devices under attacker control. They power spam campaigns, DDoS attacks, and fraud — and your home device might be in one right now.
