as atom already said, it is not possible to do this with NUL-bytes.
edit: sorry, i mixed the different hashcat versions.
with oclhashcat-* you can use the --hex-charset option with an appropriate mask.
this should work for the salt mask:
0000000000000000
and for the password you simply prepend the password mask.
e.g. ?d?d?d?d?d?d?d?d0000000000000000
but this runs you into another problem: oclhashcat-* only supports plains up to 15 characters. So this will not work for your scenario.
edit: sorry, i mixed the different hashcat versions.
with oclhashcat-* you can use the --hex-charset option with an appropriate mask.
this should work for the salt mask:
0000000000000000
and for the password you simply prepend the password mask.
e.g. ?d?d?d?d?d?d?d?d0000000000000000
but this runs you into another problem: oclhashcat-* only supports plains up to 15 characters. So this will not work for your scenario.