Reconnaissance is the intelligence gathering phase — passive (OSINT, no target interaction) and active (scanning, direct probing). Foundation of all subsequent attack phases.
Passive: WHOIS, DNS, Shodan, social media, LinkedIn, job postings, GitHub, certificate transparency. Active: Nmap, web crawling, banner grabbing. Invest heavily in recon — understanding the target well leads to more efficient and successful exploitation. "Know your enemy."