The implication is then that the hacker sets up a script up to scan a range of hosts on a particular port which is likely to be open (one of the common ones that normally has to be open e.g. 53, 80, ? 443 ? 1743 or ports with known current vulnerabilities) etc and look for a response coming back. This serves to identify vulnerable hosts and allows for a more instaneous upload of the exploit which can be immediately uploaded and presumably all of this is done automatically. The hacker meantime is getting a Swedish manicure and will come back and pick up the results later.