Abel is the second part of the program. Designed as a Windows NT service it is composed by two files "Abel.exe" and "Abel.dll"; the first is the main service executable program and the second is a library that contains some required functions. Although Cain is the main Abel's front-end, it is not needed to be installed for Abel to work.

The service can be installed locally or remotely (using Cain) and requires Administrator's privileges on the target machine.

Local Installation

Abel's local installation is really simple; all you have to do is to copy the executable files in a directory and type "Abel" at the command prompt.


Remote Installation

The remote installation is even more simple. Cain's Service Manager will do everything for you from the file copy to the service creation.



Once installed, as all other NT services, it can be managed using the standard Windows tools or the Cain's Service Manager.


Abel communicates with Cain using a the Windows named pipe  "\\computername\pipe\abel" and it can accept connections from multiple hosts at the same time. All data transmitted over this pipe is encrypted using the RC4 symmetric encryption algorithm and the fixed key "Cain & Abel". This is done only to scramble the traffic sent on the network and not to hide program's intentions.


The service runs using the Local System account and provides some interesting features like the Remote NT Hashes Dumper, the Remote LSA Secrets Dumper and the Remote Console.

How to remove Abel

Stop the service and then type "Abel -r" at the command prompt. You can also use the Cain's Service Manager to do that. Once the service is removed the executable files can be manually deleted from the system.


Some Security Software vendors like Internet Security Systems (ISS) classified Abel as an High Risk backdoor program (http://xforce.iss.net/xforce/xfdb/17320) and now they have signatures to recognize the program. Although I am not interested in their decision, I suggest to you to use Abel for educational purposes only.