One way to locate another peer in a local area network is to broadcast a specifically constructed packet to the whole IPv4 subnet using the broadcast address. Then the peer client can be written to respond to the host who broadcasted the message and make a connection. A perfect example of an application that uses this method is Dropbox. Dropbox uses what they call LAN sync that allows for files to be transfered from peer to peer if that file is present in a dropbox on a host within the LAN. If you fire up wireshark, you can see the LAN sync messages being broadcasted from the broadcast address.
Hackers can use any remote communication protocol to exploit an application if there is a vulnerability present. The best way avoid this is by using secure coding practices and end-to-end encryption. It's not the ports necessarily being open or close that you need to worry about, but the code sitting at the application layer.