$ Blog
Port Scanning

What Is Port Scanning? A Beginner's Guide

· 7 min read

Port scanning is the process of sending network packets to a target host to determine which ports are open, which services are running behind them, and what operating system is in use. It is one of the oldest and most fundamental techniques in network security -- used by both attackers mapping targets and defenders auditing their own infrastructure.

If you manage any internet-facing systems, understanding port scanning is essential. This guide covers the basics: what ports are, how different scan types work, which ports matter most, and how to interpret scan results from a defensive perspective.

TL;DR

  • Port scanning probes a target host to discover open ports, running services, software versions, and the operating system in use.
  • Every open port is a potential entry point -- the goal is to verify that only necessary services are exposed.
  • Four main scan types (TCP Connect, SYN, UDP, FIN/XMAS) offer trade-offs between speed, stealth, and accuracy.
  • Port states (open, closed, filtered) each carry different security implications that require different responses.
  • Defensive port scanning -- scanning your own infrastructure regularly -- is the most valuable use of this technique.

What Are Ports and Why Do They Matter?

A port is a logical endpoint for network communication. When your browser connects to a website, it connects to port 443 (HTTPS) or port 80 (HTTP) on the web server. When you SSH into a server, you connect to port 22. When an email arrives, it hits port 25 (SMTP) on the mail server.

There are 65,535 TCP ports and 65,535 UDP ports available on every host. The Internet Assigned Numbers Authority (IANA) designates ports 0-1023 as "well-known ports" with standard service assignments, ports 1024-49151 as "registered ports" used by specific applications, and ports 49152-65535 as "dynamic ports" for temporary connections.

TCP/UDP port number ranges: well-known, registered, and dynamic ports Port Number Ranges (TCP and UDP) Well-Known Ports 0 - 1,023 HTTP, HTTPS, SSH, DNS, SMTP, FTP Registered Ports 1,024 - 49,151 MySQL, PostgreSQL, Redis, MongoDB Dynamic Ports 49,152 - 65,535 Ephemeral connections, temp client ports 65,535 TCP ports + 65,535 UDP ports = 131,070 total endpoints per host Each open port is a potential entry point that must be secured.

Every open port represents a service that is listening for connections -- and a potential entry point for an attacker. A web server legitimately needs ports 80 and 443 open. But if that same server also has port 3306 (MySQL) exposed to the internet, that is a misconfiguration that could lead to a breach.

What Port Scanning Reveals

A port scan tells you more than just "open or closed." Depending on the scan type and depth, you can learn:

  • Port state -- Open (accepting connections), closed (responding but no service listening), or filtered (no response, typically blocked by a firewall).
  • Running service -- What software is listening on each port (Apache, Nginx, OpenSSH, MySQL).
  • Service version -- The exact version of the software, which maps directly to known vulnerabilities.
  • Operating system -- TCP/IP stack fingerprinting can identify the host OS.
  • Security posture -- Unnecessary services, default configurations, outdated software, and exposed management interfaces.

Port Scan Types Explained

Different scan techniques use different network protocols and packet flags. Each has trade-offs between speed, stealth, and accuracy.

Four main port scan types: TCP Connect, SYN (half-open), UDP, and FIN/XMAS TCP Connect Scan Completes the full TCP 3-way handshake (SYN, SYN-ACK, ACK). + Most reliable, no special privileges - Easily logged by the target - Slower than SYN scan nmap -sT target SYN (Half-Open) Scan Sends SYN, waits for SYN-ACK, then sends RST instead of ACK. + Faster and stealthier than connect + Default Nmap scan type - Requires root/admin privileges nmap -sS target (default with root) UDP Scan Sends UDP packets and waits for responses or ICMP port unreachable. + Finds DNS, SNMP, DHCP, VPN services - Very slow (no handshake protocol) - Unreliable without payloads nmap -sU target FIN / XMAS Scan Sends packets with unusual flag combos to probe firewall rules. + Can bypass some stateless firewalls - Unreliable on Windows (ignores RFC) - Limited practical use in 2026 nmap -sF / nmap -sX target

TCP Connect Scan (-sT)

The most straightforward scan type. The scanner completes a full TCP three-way handshake (SYN, SYN-ACK, ACK) with each target port, then immediately closes the connection. If the handshake completes, the port is open. If the target responds with RST (reset), the port is closed. If there is no response, the port is filtered.

TCP connect scans are reliable and do not require special privileges, but they are noisy. The full connection attempt is logged by most services and firewalls.

SYN (Half-Open) Scan (-sS)

The SYN scan -- also called a "half-open" scan -- is the default and most popular scan type. It sends a SYN packet (the first step of the TCP handshake), waits for the response, but instead of completing the handshake, it sends a RST packet to abort. The result is the same information (open, closed, filtered) but without creating a full connection, which makes it faster and slightly stealthier.

SYN scans require raw socket access, which means root or administrator privileges. On modern systems with good logging, SYN scans are still detectable by IDS/IPS -- "stealth" is relative.

UDP Scan (-sU)

UDP is a connectionless protocol with no handshake, making it fundamentally harder to scan. The scanner sends a UDP packet to a port and waits. If the port is open and the service responds, that is definitive. If the target sends an ICMP "port unreachable" message, the port is closed.

But if there is no response at all, the scanner cannot distinguish between "open" and "filtered" -- the packet may have been received and silently processed, or it may have been dropped by a firewall.

UDP scanning is slow but important. Critical services like DNS (port 53), SNMP (port 161), and VPN endpoints (port 500, 4500) run on UDP.

FIN, XMAS, and NULL Scans

These exotic scan types send TCP packets with unusual flag combinations. Per the TCP specification (RFC 793), a closed port should respond with RST to these packets while an open port should ignore them. In theory, this makes them stealthy. In practice, many operating systems do not follow the RFC (Windows ignores all three), and modern firewalls detect them trivially. They are rarely useful in modern assessments.

Common Ports and Their Services

Knowing the standard port assignments helps you quickly assess what a scan result means. Here are the ports you will encounter most frequently.

Port Protocol Service Security Notes
21 TCP FTP Unencrypted. Use SFTP (port 22) instead.
22 TCP SSH Should be key-only. Disable password auth.
25 TCP SMTP Mail submission. Check for open relay.
53 TCP/UDP DNS Check for zone transfer (AXFR) leaks.
80 TCP HTTP Should redirect to HTTPS (443).
443 TCP HTTPS Check TLS version and cipher suites.
3306 TCP MySQL Should never be exposed to the internet.
3389 TCP RDP High-value target. Use VPN or restrict IPs.
5432 TCP PostgreSQL Should never be exposed to the internet.
6379 TCP Redis No default auth. Never expose publicly.
8080 TCP HTTP Alt Often development or proxy servers.
27017 TCP MongoDB Default no auth. Major breach vector.

Port States: Open, Closed, and Filtered

Scanners report three possible states for each port, and the distinction matters for security assessment.

Three port states: open, closed, and filtered with security implications Open A service is listening and accepting connections. Action: verify it should be. Closed Host is reachable but no service is listening. Generally safe. No exposure. Filtered No response. Typically a firewall is dropping packets. Good firewall behavior.

Open means a service is actively listening. This is where your attention should focus. Every open port is an attack surface that needs to be justified, secured, and monitored.

Closed means the host is reachable and responded, but no service is listening. This is not typically a security concern, though it does confirm the host is alive.

Filtered means the scanner received no response -- neither a connection acceptance nor a rejection. This usually indicates a firewall is silently dropping the packets. From a security perspective, this is good behavior: it reveals nothing to the scanner about whether a service exists.

Legal and Ethical Considerations

Port scanning is legal when you scan your own infrastructure. Scanning systems you do not own or have explicit written authorization to test is a different matter -- and potentially illegal under laws like the Computer Fraud and Abuse Act (CFAA) in the United States, the Computer Misuse Act in the United Kingdom, and similar legislation worldwide.

Common Mistake

Assuming that authorization to scan a company's web server extends to their entire IP range. Always scope your scans carefully and document what you are authorized to test.

Key principles:

  • Always get written permission before scanning any system you do not own. This includes cloud instances in shared environments, client infrastructure, and third-party services.
  • Scope your scans carefully. Authorization to scan a company's web server does not extend to their entire IP range.
  • Be aware of your cloud provider's policies. AWS, Azure, and GCP all have specific policies about vulnerability scanning within their environments. Some require advance notification.
  • Document everything. Keep records of authorization, scan scope, timing, and results. This protects you if questions arise later.

Port Scanning from a Defensive Perspective

The most valuable use of port scanning is defensive: scanning your own infrastructure to find problems before attackers do.

Best Practice

Run regular port scans against your own external IP ranges and compare results against a known-good baseline. Any new open port should trigger an investigation -- it may be a legitimate deployment or a misconfiguration waiting to be exploited.

A regular port scan answers critical questions:

  • Are any database ports (3306, 5432, 27017, 6379) exposed to the internet?
  • Are there development or management services (8080, 8443, 9090) that should be behind a VPN?
  • Are deprecated services (FTP, Telnet) still running?
  • Did a recent deployment or configuration change open an unexpected port?
  • Are the services running on expected ports actually the right software, or has something been replaced?

For a hands-on guide to running your own port scans, see our article on how to scan for open ports. If you want to test quickly without installing anything, the Metric Tower port checker lets you check specific ports from your browser. And for a deeper comparison of scanning tools, check out our top port scanning tools guide.

Key Takeaways

  1. 1 Every open port is an attack surface -- if a port does not need to be open, close it. If it does, secure it with authentication and encryption.
  2. 2 SYN scans are the default for a reason -- they are fast, accurate, and provide the same information as a full TCP connect scan without creating full connections.
  3. 3 Do not skip UDP scanning. Critical services like DNS, SNMP, and VPN endpoints use UDP and are frequently misconfigured.
  4. 4 Defensive port scanning -- regularly scanning your own infrastructure -- is the highest-value use of this technique for security teams.

Port scanning is the starting point of any security assessment. Understanding which ports are open, what services run behind them, and whether they should be there is foundational knowledge that informs every subsequent security decision.

Related articles