Nmap is a network scanning tool that explores devices on a network and decides which ports are available. It determines what services they offer and if any packet filters are in use. Then, it sends packets to those ports and analyzes the responses. Essentially, it maps the network.

There are several types of port scans, such as:

• TCP Connect scans
• SYN scans
• FIN scans
• NULL scans
• ACK scans

No, port scanning is not inherently illegal.

A port scan sees packets sent to destination port numbers using various techniques. Several of these include:

1. Ping scans: A ping scan is considered the simplest port scanning technique. They are also known as internet control message protocol (ICMP) requests. Ping scans send a group of several ICMP requests to various servers in an attempt to get a response. A ping scan can be used by an administrator to troubleshoot issues, and pings can be blocked and disabled by a firewall.
2. Vanilla scan: Another basic port scanning technique, a vanilla scan attempts to connect to all of the 65,536 ports at the same time. It sends a synchronize (SYN) flag, or a connect request. When it receives a SYN-ACK response, or an acknowledgment of connection, it responds with an ACK flag. This scan is accurate but easily detectable because a full connection is always logged by firewalls.
3. SYN scan: Also called a half-open scan, this sends a SYN flag to the target and waits for a SYN-ACK response. In the event of a response, the scanner does not respond back, which means the TCP connection was not completed. Therefore, the interaction is not logged, but the sender learns if the port is open. This is a quick technique that hackers use to find weaknesses.
4. XMAS and FIN scans: Christmas tree scans (XMAS scans) and FIN scans are more discrete attack methods. XMAS scans take their name from the set of flags that are turned on within a packet which, when viewed in a protocol analyzer like Wireshark, appear to be blinking like a Christmas tree. This type of scan sends a set of flags, which, when responded to, can disclose insights about the firewall and the state of the ports. A FIN scan sees an attacker send a FIN flag, often used to end an established session, to a specific port. The system’s response to it can help the attacker understand the level of activity and provide insight into the organization's firewall usage.
5. FTP bounce scan: This technique enables the sender to disguise their location by using an FTP server to bounce a packet.
6. Sweep scan: This preliminary port scanning technique sends traffic to a port across several computers on a network to identify those that are active. It does not share any information about port activity but informs the sender whether any systems are in use.

Port scanning is a popular method cyber criminals use to search for vulnerable servers. They often use it to discover organizations’ security levels, determine whether businesses have effective firewalls, and detect vulnerable networks or servers. Some TCP methods also enable attackers to hide their location.

Cyber criminals search through networks to assess how ports react, which enables them to understand the business's security levels and the systems they deploy.

Preventing a port scan attack is reliant on having effective, updated threat intelligence that is in line with the evolving threat landscape. Businesses also require strong security software, port scanning tools, and security alerts that monitor ports and prevent malicious actors from reaching their network. Useful tools include IP scanning, Nmap, and Netcat.

Other defense mechanisms include:

1. A strong firewall: A firewall can prevent unauthorized access to a business’s private network. It controls ports and their visibility, as well as detects when a port scan is in progress before shutting it down.
2. TCP wrappers: These enable administrators to have the flexibility to permit or deny access to servers based on IP addresses and domain names.
3. Uncover network holes: Businesses can use a port checker or port scanner to determine whether more ports are open than required. They need to regularly check their systems to report potential weak points or vulnerabilities that could be exploited by an attacker.

Hackers use a port checker or port scanner attack to learn the weak points or vulnerabilities in a business’s network. When hackers send a message to a port number, the response they receive tells them whether it is open and helps them discover potential weaknesses.

A port checker or port scanner can be dangerous because they can tell hackers whether a business is vulnerable to an attack. The scan can inform an attacker of existing weak points within a company’s network or system, which they can then exploit to gain unauthorized access.

Commonly used ports are typically highly secure, while other ports may be overlooked and vulnerable to hackers. Commonly hacked TCP port numbers include port 21 (FTP), port 22 (SSH), port 23 (Telnet), port 25 (Simple Mail Transfer Protocol or SMTP), port 110 (POP3), and port 443 (HTTP and Hypertext Transfer Protocol Secure or HTTPS). Commonly targeted TCP and UDP ports include port 53 (DNS), ports 137 to 139 (Windows NetBIOS over TCP/IP), and 1433 and 1434 (Microsoft SQL Server).

Common open ports include port 20, which holds FTP; port 22, which is used for secure logins; port 53, which is the DNS; and port 80, which is the World Wide Web HTTP.