What is port scanning?
A computer runs different services and programs. To function, a service may need to communicate by sending and receiving information.
A port allows information in or out; some are ‘dedicated’ like a mailbox for a house in a particular street, and if the lights are on in the home, you know exactly what service is operating there.
Sometimes ports are random, and you don’t know if anyone’s home. In this case, you can run a port scan, or a quick knock on the door to see who is home, and if their door is open or closed.
You can try different approaches to try and find out who is home. You might knock on the front door like a TCP scan and see if you get a reply or not. If you do get a reply, you can start to figure out what service is operating in the house.
You may also try the stealthy approach if no one is answering, such as looking through a window or making very slow knocks to make it seem like you’re a cat or dog wanting to come in. This also may divulge who is in the house, and if they’re communicating.
Port scanning can be very quick and intensive, or take a long time and be more subtle. The whole point is to find out what services are running and if so, are they open to communication.
But Why?
In a security sense, imagine that all services/houses have their own little book in the library which records all the weaknesses they might have. Additionally, they were made at different stages of life, and each version iteration has different weaknesses.
If you didn’t execute a port scan, you wouldn’t know which services you can communicate with, and which versions they are. You’d be throwing random exploits in the dark at vulnerabilities that may not be there at all.
Now, if you have that little book and you know what version they are from the port scan, and if everything lines up, you’re almost guaranteed to be able to exploit it based on the known vulnerabilities!
So in a sense, a port scan identifies what software/services are operating, how they are communicating (open/closed/etc), and which version of the software they are. With all this information about the different services, you can start making good guesses on things like the operating system of the server/computer, and other helpful information.
P.S, you can run a port scan on your own computer and research the identified ports with programs like Nmap, Zenmap, Nikto, to even identify if any malware is running on your system. Always try different methods such as TCP & UDP, intensive and stealth etc. The Nmap guide is great for getting your head around it.
