you can use a tool like socat to push A port through tor, but i dont know of a way to port scan thru it.
so say you wanted to push IRC thru tor. assuming everything else is set up right you'd type
socat TCP4-LISTEN:4242,fork SOCKS4A:localhost:irc.freenode.net:6667,socksport= 9050
then you'll point your IRC connection to localhost:4242
so you "should" be able to scan single ports thru tor that way or try to send an exploit. I honestly havent tried though.