Have you ever been in an environment where direct network access is blocked, but cloud services like Azure Blob Storage are still reachable? What if I told you that you could tunnel your internet traffic through those blob storage endpoints? That’s exactly what ProxyBlob does.
In this post, I’ll walk you through what ProxyBlob is, how it works, how to set it up, and how you can use it to build a SOCKS proxy in restricted environments using Azure Blob Storage.
Prefer watching instead of reading? Here’s a quick video guide
https://youtu.be/Yf4-S5kpm_0?embedable=true
What Is ProxyBlob?
ProxyBlob is an open-source tool developed by Quarkslab that lets you create a SOCKS5 proxy tunnel through Azure Blob Storage.
- It helps your apps connect to the internet indirectly, by routing your traffic through Azure’s blob storage service.
- It’s ideal for situations where *.blob.core.windows.net is allowed, but other outbound traffic is blocked (e.g., in corporate or monitored networks).
Components of ProxyBlob
ProxyBlob has two main parts:
- Proxy Server – This runs on your machine and offers a SOCKS5 proxy interface.
- Agent – This runs inside the restricted target network and communicates with the proxy using Azure Blob Storage.
These two talk to each other by sending and receiving data via blobs.
Features of ProxyBlob
- SOCKS5 protocol support (TCP + UDP)
- Works entirely via Azure Blob Storage
- CLI with interactive commands
- Can manage multiple agents
- Easy to test locally using Azurite (Azure emulator)
Prerequisites
Before diving into setup, make sure you have:
- Go 1.23+ installed
- An Azure account
- Access to create Azure Storage Accounts
- Optionally, Docker or VS Code if testing with Azurite
Setting Up ProxyBlob
Let’s break this into simple steps:
Create an Azure Storage Account
You need a Premium Block Blob Storage Account. Here’s how you can do it via the Azure Portal:
- Go to https://portal.azure.com
- Search for “Storage accounts” and click ”+ Create”
- Fill in the form:
- Name: your-storage-name
- Region: Close to you
- Performance: Premium
- Redundancy: LRS
- Account kind: BlockBlobStorage
Once created, go to Security + networking > Access keys to get your storage credentials.
Or use the Azure CLI:
az login
az group create --name proxyblob-rg --location "Central US"
az storage account create
--name myproxyblob
--resource-group proxyblob-rg
--location "Central US"
--sku "Premium_LRS"
--kind BlockBlobStorage
az storage account keys list --account-name myproxyblob --output table
Local Testing with Azurite
If you just want to test locally:
With VS Code extension:
- Install the Azurite extension
- Start the Blob Service
With Docker:
docker pull mcr.microsoft.com/azure-storage/azurite
docker run -p 10000:10000 mcr.microsoft.com/azure-storage/azurite
Default creds:
- Account: devstoreaccount1
- Key: (Long key provided in README)
Clone and Build ProxyBlob
git clone https://github.com/quarkslab/proxyblob
cd proxyblob
make
This builds two binaries:
- proxy – for your local machine
- agent – for the restricted network
Configuration
Create a config file like this:
{
"storage_url": "http://localhost:10000/", // remove if using real Azure
"storage_account_name": "your-storage-name",
"storage_account_key": "your-key"
}
Save it as config.json or my-config.json.
Running ProxyBlob
Start the Proxy Server
./proxy -c my-config.json
This launches an interactive CLI.
Key commands:
- create – generates a new agent container and a connection string
- list – shows agent status
- select – selects agent
- start – starts the proxy listener (default port: 1080)
Example:
proxyblob » create
proxyblob » list
proxyblob » select <container-id>
proxyblob » start
Start the Agent
You have two ways to pass the connection string:
Via CLI:
./agent -c <generated-connection-string>
Or embed at build time:
make agent TOKEN=<generated-connection-string>
./agent
How It Works (Architecture)
Here’s a simplified explanation of the workflow:
- Proxy writes requests as blobs into Azure storage
- Agent polls the blobs, reads the request, and processes it
- Agent writes back the response into a separate blob
- Proxy reads the response and forwards it to the client app
This creates a loop that emulates a direct SOCKS5 tunnel — but completely through blob storage.
You can now use tools like proxychains:
proxychains curl http://example.com
proxychains xfreerdp /v:myhost /u:user
Troubleshooting Tips
Check the exit code:
echo $?
Common Fixes:
- Check Azure credentials
- Verify storage account accessibility
- Look for firewall issues
- Ensure correct connection string
What’s Coming Next?
According to the README, future improvements may include:
- Support for the BIND SOCKS command
- Better error handling
- Speed optimizations
Final Thoughts
ProxyBlob is a powerful example of protocol tunneling using cloud services. It’s especially useful for red teamers, pentesters, and defenders to understand the potential abuse of cloud storage services.
If you’re serious about network security, covert channels, or cloud abuse scenarios, I highly recommend experimenting with ProxyBlob — just make sure to use it ethically and responsibly.