Yes, portscans are considered a form of hacking, but a relatively low threat level (and pretty common), so it’s unlikely to have any consequences except possibly getting your IP blocked.

How else can one find out on which port the desired application is running (without the user input)?

Applications typically run on a fixed “well-known” port that is hardcoded as default.

It is not a good idea to scan for ports. Port scanning probably will be against network policies. You should make it configurable which port to connect, and use a default if not configured specifically.

If the network in question has any kind of intrusion detection, scanning a significant number of ports will tend to throw up a flag and attract administrator attention. Depending on the policies in place and whether you are inside or outside the network, the response could be anything from blocking your scans to cutting off the machine doing the scan to coming and finding you to yell at you.

Most applications run at a fixed ‘well-known’ port number (for instance, web servers normally answer at port 80). Thus, you usually don’t have to scan for things.

If you absolutely have to have a range of ports (I can’t think why), then you need to keep the range of ports small (5-10 ports would be good) and don’t hammer on all of them as fast as possible. You’ll be unlikely to attract attention if you go at reasonable rates.

Yes, as other have noted use a well-known or default port. Make it configurable.

Scanning may not work anyway as some sites/servers will stop responding to you if it detects port scanning.

Port scanning for security purposes is acceptable with appropriate authorization. In this case it us used to determine if services which should not be available are available. It can also be used to provide a map of listening ports for additional uses including service auditing.

Port scanning is rude, likely to be against network policies, and won’t scale very well.

There are systems intended for things like service discovery, such as zeroconf. Look into those.

Some questions in response to your question:

• Is the computer on the other end under your “control” (on the same LAN/WAN/VPN, accessible by you under some agreement with whatever remote network the computer is hooked into)?
• Are you scanning “intelligently” (trying the ports most likely to be the ones used first)?
• Could there be multiple copies of the same or similar software running on different ports?

If the answers are “yes”, “yes”, and “no”, respectively, then a port scan is probably permissible. If you don’t know exactly which port you must connect on (and it’s not the default for the application or higher-tier protocol being used), then the only two options are to ask some authority (human or automated) or to try all possibilities.

Things that are always bad about port scanning are:

• Port scans are a common attack precursor; the attacker is looking for an open door to establish a connection for further exploits. Thus, sysadmins and the hardware they maintain will see your scan, assume it’s hostile and take steps to shut you down.
• If port scans are to be expected as normal, the effectiveness of many anti-hacking tools is greatly reduced. As in the previous point, port scans are a common precursor to an attack. If some scans are to be expected as normal, and others shut down as hacking, the sysadmin/firewall must know exactly which is which (and whenever there’s a legitimate way to get in, there’s a way to spoof it).
• Port scans take time. If the remote computer ignores rather than rejects connection requests, each attempt must time out (taking several seconds) instead of your scan being able to move on to the next port after a rejection (bound mainly by threading and network latency).

However, targeted port scans on computers under your control can be a useful diagnostic. I implemented a port scanner into some software my company’s help desk uses, as a diagnostic to determine why a machine they support is responding to pings but not allowing more advanced access.