BSD is a little paranoid about where your passwords come from, so they'll insist on getting it from a stream. Here's an example:

(edit the file '/tmp/pass' and deposit the password there)            
% su root -c sh
Password:
# pw useradd -n test -c "Test User" -m -h 3 3< /tmp/pass
# grep test /etc/master.passwd
test:$1$T2tu0BET$UGPrNB1FavzjlzhTwUWRN.:1002:1002::0:0:Test User:/home/test:/bin/sh
# exit
% su test
Password: [typed "foobar" here...]
$ exit

If you need to move files, logs, or any kind of program output off a compromised system without disrupting evidentiary data on the disk, use netcat.

On your trusted system:

$ nc -v -l -p 2222 > victim.dump

On the victim's system:

$ <program> | nc <trusted_system> 2222

Where program is the discovery application you're running (e.g. netstat -an).