Computer exploits often involve an attacker being able to compromise a sequence of hosts, creating a chain of 'stepping stones' from his source to ultimate target. Stepping stones are usually necessary to access well-protected resources, and also serve to mask the attacker's location. This paper describes means of constructing models of networks and the access control mechanisms they employ to approach the problem of finding which stepping stone paths are easiest for an attacker to find. While the simplest formulation of the problem can be addressed with deterministic shortest-path algorithms, we argue that consideration of what and how an attacker may (or may not) launch from a compromised host pushes one towards solutions based on Monte Carlo sampling. We describe the sampling algorithm and some preliminary results obtained using it.