Port 990 – FTPS Control (FTP Secure Control Channel)

Why It’s Open

Port 990 is used for the File Transfer Protocol over SSL/TLS (FTPS) control channel. This secure version of FTP provides encrypted command and control communications for file transfers. Unlike SFTP which uses SSH, FTPS adds SSL/TLS encryption to the traditional FTP protocol while maintaining its connection model.

Organizations use this port to enable secure file transfers while maintaining compatibility with legacy FTP infrastructure. It’s commonly found in environments that require secure file transfers but cannot transition to more modern protocols like SFTP.

Common Risks

• SSL/TLS Vulnerabilities:
  Weak encryption or protocol issues.
• Certificate Problems:
  Invalid or expired certificates.
• Authentication Bypass:
  Weak FTP authentication.
• Protocol Downgrade:
  Fallback to unsecured FTP.
• Data Interception:
  Despite encryption, configuration flaws.

Want to save time on reporting?

Let PentestPad generate, track, and export your reports - automatically.

Book a Demo

Enumeration & Testing

Check if it’s open:

nmap -sT -p 990

Test SSL/TLS:

openssl s_client -connect :990

Verify FTP over SSL:

curl -k ftps://:990/

What to Look For

Mitigation

• Strong Encryption:
  Enforce TLS 1.2+ and disable older protocols.
• Valid Certificates:
  Use properly signed SSL certificates.
• Strict Authentication:
  Require strong credentials and consider MFA.
• Secure Data Channel:
  Ensure both control and data channels are encrypted.
• Access Controls:
  Implement strict file and directory permissions.

TL;DR

• Port 990 = FTPS control channel
• Secure FTP with SSL/TLS
• Both control and data channels need protection
• Modern crypto protocols required

Known CVEs and Exploits

• CVE-2020-15778 – OpenSSH scp client vulnerability (affects secure file transfers)
• CVE-2019-6109 – OpenSSH missing character encoding (file transfer context)
• testssl.sh – Comprehensive SSL/TLS testing tool for FTPS servers