How Attackers Find Open Ports

Every open port is a door. Port scanning is the attacker walking down the hallway, trying every handle.

Before exploitation comes reconnaissance. Attackers need to know what's accessible—what services are running, what software versions, what's accidentally exposed. Port scanning answers these questions systematically, mapping the attack surface before the real work begins.

Why Attackers Scan

An open port means a service is listening. A service listening means code running. Code running means potential vulnerabilities.

Different services have different weaknesses. Web servers on port 80 face different attacks than SSH on port 22 or MySQL on port 3306. Knowing what's running lets attackers choose their tools.

The valuable finds aren't always the obvious services. Sometimes a database port is accidentally exposed to the Internet. Sometimes an admin interface is left open. Sometimes software from 2015 is still running, unpatched, waiting. Scanners find what was meant to be hidden.

TCP Scanning: Exploiting Politeness

TCP's three-way handshake is a polite introduction: "Hello" (SYN), "Hello, I heard you" (SYN-ACK), "Great, let's talk" (ACK). This politeness becomes a vulnerability. Ask if anyone's home, and TCP answers honestly.

Connect scanning completes the full handshake. If the conversation finishes, the port is open. If the target sends RST ("go away"), the port is closed. If silence or an ICMP unreachable message, a firewall is blocking.

This works perfectly but leaves traces. Completed connections generate logs. Intrusion detection systems notice. The attacker's visit is recorded in the guest book.

SYN scanning exploits a loophole. Send the opening SYN, wait for SYN-ACK (confirming someone's listening), then send RST to abort instead of completing with ACK. You learned the port is open without fully connecting—like knocking on a door, hearing "who's there?", and running away before they open it.

This avoids some logging since the connection never completes. But modern security systems recognize the pattern. Half-finished handshakes from a single source hitting port after port aren't subtle.

FIN, NULL, and Xmas scans send malformed packets—wrong flags, missing flags, too many flags. RFC 793 says closed ports should respond with RST to this nonsense while open ports should silently ignore it. By watching for RST responses, attackers identify closed ports; silence suggests open.

The cleverness is real but the reliability isn't. Many systems don't follow the RFC exactly. Security systems recognize bizarre flag combinations as obvious scan attempts.

ACK scanning tests firewall rules rather than port state. Stateless firewalls respond differently than stateful ones. The responses reveal what's filtering traffic, mapping the security architecture.

UDP Scanning: The Silence Problem

UDP doesn't handshake. Send a packet, hope for the best. This makes scanning harder.

Send UDP to a closed port, and you get ICMP Port Unreachable. Send to an open port, and typically nothing—UDP services don't acknowledge receipt. Silence means either "open" or "packet lost somewhere." The ambiguity is fundamental.

Scanners must wait through timeouts to conclude a port is probably open. Systems rate-limit ICMP messages, slowing things further. UDP scanning takes patience.

But UDP services matter. DNS, SNMP, VPNs—all UDP. Scanning only TCP misses half the attack surface.

Speed Versus Stealth

Fast scans finish quickly but announce themselves. Thousands of connection attempts per second create traffic spikes that security systems notice immediately.

Slow scans spread packets across hours or days. One port per minute. Random intervals. The pattern dissolves into normal traffic noise, but comprehensive scanning takes forever.

Attackers balance based on their goals. Quick reconnaissance of a specific target might tolerate detection. Long-term mapping of an organization demands patience.

Fragmentation, decoy source addresses, and distributed scanning add sophistication. Packets arrive from seemingly unrelated sources, making attribution difficult.

After the Scan: Fingerprinting

Open ports are just the beginning. Attackers need specifics.

Many services announce themselves. Connect to SSH and see "SSH-2.0-OpenSSH_7.4". Request a web page and the response includes "Server: Apache/2.4.41". These banners reveal exact versions, pointing attackers to known vulnerabilities.

Even without banners, services respond to probes in characteristic ways. Specific packets elicit responses that fingerprint software and versions. The way a service handles edge cases identifies it.

Operating system detection works similarly. TCP/IP stack implementations differ subtly—initial TTL values, window sizes, responses to malformed packets. Probe carefully and the responses reveal whether you're facing Windows, Linux, or BSD.

The Tools

Nmap is the standard. Comprehensive scan types, version detection, OS fingerprinting, scriptable vulnerability checks. Security professionals and attackers use the same tool.

Masscan and Zmap prioritize speed over sophistication. Capable of scanning the entire Internet in minutes. Research-oriented but dangerous in the wrong hands.

Shodan changes the game entirely. It scans the Internet continuously, indexing everything it finds. Attackers don't need to scan—they search Shodan for vulnerable services already cataloged. The reconnaissance is done for them.

Defense

You cannot prevent scanning. Anyone can send packets to your IP addresses. But you can control what they discover.

Minimize exposure. Close unnecessary ports. Run only essential services. Firewall everything that doesn't need Internet access. The smallest attack surface reveals the least.

Detect patterns. Connection attempts to many ports from one source. Connections to ports with nothing listening. Unusual TCP flags. Rapid successive attempts. These patterns identify scans.

Rate limit. Restrict connection attempts per source per second. Fast scans become impractical.

Port knocking hides services behind authentication sequences—send the right pattern of packets first, and only then does the port accept connections. Services appear closed to casual scanning.

Tarpits respond to scans extremely slowly, tying up scanner resources and making comprehensive scanning take impractically long.

Honeypots present fake services that look valuable. When accessed, they alert security teams and reveal attacker techniques.

Legal Reality

Port scanning without permission occupies murky legal territory. Many jurisdictions consider it unauthorized access or trespassing, even without exploitation. The scan itself may be illegal.

Scan only systems you own or have explicit written authorization to test. Internet-wide scanning without permission risks legal consequences regardless of intent.