User list randomization (--randomize)

[StrongWind1]

What problem does this solve?

When spraying a password across a user list, CredWolf iterates users in file order. If the user list is sorted alphabetically (common when extracted from AD with tools like ldapsearch or BloodHound), adjacent accounts may belong to the same team or OU and share the same lockout policy. Testing them sequentially increases the risk of triggering lockout thresholds on a cluster of related accounts before the operator notices.

Proposed solution

Add a --randomize flag that shuffles the user list before iteration:

credwolf -d evil.corp ntlm --dc-ip 10.0.0.1 -U users.txt -p Summer2025 --randomize

Implementation:

• Shuffle the user list in-place after loading with random.SystemRandom().shuffle() (already used for jitter, no new dependency)
• Apply to all iteration strategies: _run_users_secrets, _run_users_keys, _run_userenum
• Do not shuffle paired files (--user-pass-file, --user-hash-file, --user-key-file) since the user/secret pairs are pre-matched
• Log the randomization at verbose level so the operator can verify it's active
• Consider a --seed option for reproducible shuffles during testing

Alternatives considered

• External shuf or sort -R on the input file — works but requires shell piping and doesn't integrate with CredWolf's paired-file modes or resume state
• Per-password user shuffling (different order for each password) — more thorough but complicates resume support; start with single shuffle