Some features present in Cain & Abel make use of socket resources:

Cain & Abel communications

Cain communicates with Abel using the native Windows protocols and named pipes. The name of the Abel pipe is "\\computername\pipe\abel" and can be used by multiple Cain machines at the same time.

APR, MAC Scanner and Promiscuous-mode Scanner

All these features use the Winpcap protocol driver.

APR-HTTPS

When APR is active Cain opens an acceptor socket listening on the HTTPS port set in the configuration dialog. This socket is used to accept incoming HTTPS client connections bridged from Winpcap (by mean of APR-HTTPS) only; direct connections to this port are immediately closed. Server-side HTTPS connections are performed using standard client sockets.

APR-FTPS

When APR is active Cain opens an acceptor socket listening on the FTPS port set in the configuration dialog. This socket is used to accept incoming FTPS client connections bridged from Winpcap (by mean of APR-FTPS) only; direct connections to this port are immediately closed. Server-side FTPS connections are performed using standard client sockets.

APR-IMAPS

When APR is active Cain opens an acceptor socket listening on the IMAPS port set in the configuration dialog. This socket is used to accept incoming IMAPS client connections bridged from Winpcap (by mean of APR-IMAPS) only; direct connections to this port are immediately closed. Server-side IMAPS connections are performed using standard client sockets.

APR-POP3S

When APR is active Cain opens an acceptor socket listening on the POP3S port set in the configuration dialog. This socket is used to accept incoming POP3S client connections bridged from Winpcap (by mean of APR-POP3S) only; direct connections to this port are immediately closed. Server-side POP3S connections are performed using standard client sockets.

APR-LDAPS

When APR is active Cain opens an acceptor socket listening on the LDAPS port set in the configuration dialog. This socket is used to accept incoming LDAPS client connections bridged from Winpcap (by mean of APR-LDAPS) only; direct connections to this port are immediately closed. Server-side LDAPS connections are performed using standard client sockets.

Certificate Collector

Cain grabs server certificate files from SSL enabled servers using normal client HTTPS sockets.

Cisco Config Dowloader/Uploader

This feature provide parameters to the Cisco device using SNMPv1 or SNMPv2 and it uses the TFTP port UDP 69 for the configuration's transfer. Cain acts as a TFTP server only for the time needed to download or upload a configuration file; after that sockets are destroyed and ports closed.

Traceroute

The traceroute uses raw sockets for UDP and ICMP protocols; TCP traceroute sends out packets using Winpcap to bypass the raw socket restrictions introduced by Microsoft in Windows XP SP2. If configured it also retrieves information of each hop using one more normal client socket directed to the RIPE WHOIS server.

Network Enumerator

Cain browses the network  by mean of the same APIs and protocols used by the Windows tool "explorer.exe".

Remote Registry

This feature uses the same APIs and protocols used by the Windows tool "regedit.exe".

SQL 2000/2005 Password Extractor

Client to server connections are made via ODBC to the remote SQL Server port.

MySQL Password Extractor

Client to server connections are made via ODBC to the remote MySQL Server port.

ORACLE Password Extractor

Client to server connections are made via ODBC to the remote ORACLE TNS Server port.

Routes Extractor

Routes information from RIP and EIGRP routers are extracted using relative protocols. No sockets are used here, request packets are sent using Winpcap driver.