Decoding Truecrypt problem

[Bartholomew]

Hello. I encrypted a pendrive partition (NTFS) Truecrypt version 7.1 I used the RIPEMD-160 hash key and AES encryption. (standard). I checked the non-system partition option. I used a password with only special characters including a space, 5 characters long. I dumped the first 32 kB of Disk Druid for Windows. The hashcat program does not search for passwords in special characters by default. Should I create a charset file or provide a command in some form? I do not want to use a mask because I do not know the order of the password characters. I did not find an answer to my question on the hashcat forum.
2. What mode to choose for Truecrypt version 7.1 when the partition is non-system (flash drive) and the hash key is RIPEMD-160 and AES encryption. This is the standard option without any changes to the default Truecrypt settings. The "-m 6243" option seems too slow and inappropriate to me, because the flash drive is non-bootable. Please help. Thank you. 
--------
Bartholomew

[b8vr]

Hello. I encrypted a pendrive partition (NTFS) Truecrypt version 7.1 I used the RIPEMD-160 hash key and AES encryption. (standard). I checked the non-system partition option. I used a password with only special characters including a space, 5 characters long. I dumped the first 32 kB of Disk Druid for Windows. The hashcat program does not search for passwords in special characters by default. Should I create a charset file or provide a command in some form? I do not want to use a mask because I do not know the order of the password characters. I did not find an answer to my question on the hashcat forum.
2. What mode to choose for Truecrypt version 7.1 when the partition is non-system (flash drive) and the hash key is RIPEMD-160 and AES encryption. This is the standard option without any changes to the default Truecrypt settings. The "-m 6243" option seems too slow and inappropriate to me, because the flash drive is non-bootable. Please help. Thank you. 
--------
Bartholomew

You dumped 32kb of disk druid? Wdym??

Anyways, you need the first 512 bytes of the encrypted partition. If you use truecrypt2hashcat.py to extract the hash, then you should use hashcat mode 29311.
If you extract manually and save the 512 bytes into a binary, then go for mode 6211.

Now, this is a slow hash, so bruteforcing is normally not advised, but if it's only 5 char long, all special chars and one of them is a space, you could try with masks "\ ?s?s?s?s", "?s\ ?s?s?s", "?s?s\ ?s?s", "?s?s?s\ ?s" and "?s?s?s?s\ ".

[Bartholomew]

All options 6211 6212 6213 with RIMPEMD-160 hash key but in "legacy" mode with width 512 1024 and 1536 bits find the password. I ran Disk druid with parameters BS=512 and count=1. How to run python script truecrypt2hashcat.py? 
Can I use custom-charset without using a mask? I don't know in another example where are the digits where is the space and special character, password length 6 or 7 characters.
Thanks for the answer.

[b8vr]

1: yes, if it can crack in 6211, it can also be cracked with 6212 and 6313. This is true for all Truecrypt and veracrypt modes, that if you use a mode 3 - xts 1536 - it will also encounter xts 512 and xts 1024.
2: truecrypt2hashcat.py is located in the hashcat/tools folder. Just run it with -h, and then you can see how to use it. It's very simple.
3 : custom charset without a mask? That doesn't make sense. Charsets are used with masks, so not sure what you mean. But yes, they can be customized using -1, -2, -3 and -4. Fx -1 abc -2 @% -3 ?1?2 ?l?1?3?d will bruteforce a 4-char string trying lowercase a-z on position 1, lowercase abc on position 2, lowercase abc and special chars @% on position 3 and then digits 0-9 on position 4.
4: the last part of your question I'm not sure I understand, but in the examples I supplied in my first response, the space is escaped using \ so the mask "?s\ ?s?s?s" will create 5 char strings of special chars in position 1, a space in position 2 and special chars in positions 3, 4 and 5. In this case with a space, the " " are needed, otherwise hashcat will not interpret it properly.