Security Research

How Port Scanning Works: A Practical Guide

May 2026 · 8 min read · masoSec

Port scanning is one of the first things an attacker does when targeting a network — and one of the first things a defender should do to understand their own exposure. This guide explains exactly how it works under the hood, what the different scan types do, and what your open ports reveal to someone who knows how to read the results.

What is a port, and why does it matter?

Every server communicates over numbered ports — 65,535 of them for TCP and the same for UDP. Each service listens on a specific port: web servers typically on port 80 (HTTP) and 443 (HTTPS), SSH on port 22, DNS on port 53, mail servers on port 25, 587, or 465.

An open port means something is actively listening for connections. An attacker scanning your server is looking for open ports because each one is a potential entry point — especially if the service behind it is outdated, misconfigured, or has a known vulnerability.

Key insight: A port scan doesn't attack anything. It just asks "is anyone home?" across all 65,535 doors. The attack comes later, once the attacker knows which doors are open.

How TCP scanning works

TCP (Transmission Control Protocol) is connection-oriented — before two machines communicate, they complete a three-step handshake:

Client → Server: SYN        (I want to connect)
Server → Client: SYN-ACK   (OK, go ahead)
Client → Server: ACK        (Connected)

Port scanners exploit this handshake to determine whether a port is open, closed, or filtered.

SYN scan (half-open scan)

The SYN scan — also called a "stealth scan" — is the most common technique. Instead of completing the three-way handshake, the scanner sends a SYN packet and waits for a response:

If server replies SYN-ACK  → port is OPEN (something is listening)
If server replies RST       → port is CLOSED (nothing listening)
If no reply / ICMP error    → port is FILTERED (firewall blocking it)

When the scanner gets a SYN-ACK, it immediately sends a RST to tear down the connection without completing it. This leaves minimal traces in application logs — the connection was never fully established.

# nmap SYN scan (requires root/admin)
nmap -sS -p 1-1000 192.168.1.1

# Scan all 65535 ports
nmap -sS -p- 192.168.1.1

# Scan common ports only (faster)
nmap -sS --top-ports 100 192.168.1.1

Connect scan

If you don't have root privileges, nmap falls back to a full TCP connect scan. It completes the entire handshake — which means it will appear in the target server's connection logs.

nmap -sT -p 80,443,22,3306 192.168.1.1

UDP scanning

UDP (User Datagram Protocol) is connectionless — there's no handshake. Scanning it is slower and less reliable. The scanner sends a UDP packet to each port:

If server sends ICMP "port unreachable" → port is CLOSED
If no response                           → port is OPEN or FILTERED
If application responds                  → port is OPEN
# UDP scan (very slow for large ranges)
nmap -sU -p 53,67,123,161 192.168.1.1

Why UDP matters: Services like DNS (53), SNMP (161), NTP (123), and DHCP (67) run on UDP. These are often overlooked and can be just as exploitable as TCP services.

Service and version detection

Knowing a port is open is just the start. Version detection (-sV) goes further — it sends probe packets to each open port and tries to identify exactly what software is running, including version numbers.

nmap -sV -p 22,80,443 192.168.1.1

# Example output:
22/tcp  open  ssh     OpenSSH 8.2p1 Ubuntu
80/tcp  open  http    Apache httpd 2.4.41
443/tcp open  ssl/http nginx 1.18.0

Version numbers are gold for an attacker. With Apache 2.4.41, they can immediately search the CVE database for known vulnerabilities in exactly that version. A 2019 build of Apache has years of unpatched CVEs stacked up.

OS detection

OS detection (-O) works by analysing how the target responds to a series of unusual packets. Different operating systems implement the TCP/IP stack slightly differently — the timing, window sizes, and response patterns form a fingerprint.

nmap -O 192.168.1.1

# Output example:
OS details: Linux 5.4 - 5.11
Network Distance: 1 hop

This tells the attacker whether they're looking at Linux, Windows, a network appliance, or an IoT device — each with its own attack surface.

What a full nmap scan looks like in practice

nmap -sS -sV -O -A --script=default -p- 192.168.1.1

# -A enables: OS detection + version detection + script scanning + traceroute
# --script=default runs the default NSE scripts (banner grabbing, etc.)
# -p- scans all 65535 ports

A skilled attacker running this against your server gets back a detailed report: open ports, service versions, OS, and any NSE script findings — in about 2–5 minutes on a local network, or 20–40 minutes over the internet depending on firewall behavior.

Common port table

PortProtocolServiceRisk if exposed
22TCPSSHBrute-force, credential stuffing
3389TCPRDPBlueKeep, credential attacks
3306TCPMySQLDirect DB access if exposed
5432TCPPostgreSQLDirect DB access if exposed
6379TCPRedisOften unauthenticated by default
27017TCPMongoDBOften unauthenticated by default
161UDPSNMPNetwork device info disclosure
23TCPTelnetCleartext credentials

How to defend against port scanning

Scan yourself first. The single most useful thing you can do right now is run nmap -sV --top-ports 1000 your-server-ip and look at the output with fresh eyes. Anything open that surprises you is a problem.

masoSec and port scanning

masoSec's pentest module accepts nmap XML output directly. Run your scan, paste in the results, and the platform organises findings by severity, tracks remediation, and generates a PDF report. It doesn't replace running nmap yourself — it makes the findings actionable.

Check your domain's security posture

Free scan — no account needed. See your SPF, DMARC, SSL, and security headers in under 60 seconds.

Run a free scan →