Why do hackers scan for open ports?
- To run an exploit, an attacker needs a vulnerability.
- To find a vulnerability, the attacker needs to fingerprint all services which run on the machine (find out which protocol they use, which programs implement them and preferably the versions of those programs).
- To fingerprint a service, the attacker needs to know that there is one running on a publicly accessible port.
- To find out which publicly accessible ports run services, the attacker needs to run a port scan.
As you see, a port scan is the first reconnaissance step an attacker performs before attacking a system.
Consider that I wanna rob your home ... Then I would look up for a way to get into. But your home has door locks that allows only your local(family) to access it so I will search for some other like way(ports) windows(other open public ports) to get into.And try to get some data. If ports will be open for ssh/ftp they try to exploit them. Try uploading files or bruteforce.
As Girish points out, a port scan is like casing a house. Its a a very low noise activity when done from the internet, because you'll see dozens of port scans a day. It also gleans a small amount of information about the state of your machine, and that lets them tailor the next layer of the attack even more.
It's also dirt cheap! Doing a port scan costs the attacker almost nothing, and sometimes you get lucky. In The Art of Intrusion, Kevin Mitnick gives examples of where such attacks do pay off in real life. In a simple system, its easy to simply lock down all of the ports. In a more complicated IT network, its harder to prove there is no business logic reason for an open port, and first rule of IT is "do not upset the business," so they may be left open. Mitnick's book gave the example of one case where there was a jury rigged serial connection accidentally exposed to the internet. The attacker presumes it was a one time cludge to solve an issue which was never dismantled after its use was no longer required. Years later, it was actually the attack vector found and exploited by the hackers.
There are situations where port scans are avoided. Advanced Persistent Threats (APT) tend to operate on the LAN. While port scans from the internet are a daily affair, port scans originating on the LAN are quite a lot "louder." Given that APTs value stealth, they will often avoid port scans that, in other circumstances, might just be random pot shots taken to see if one gets lucky.